Windows Analysis Report
Po Ord000393901A.exe

Overview

General Information

Sample name: Po Ord000393901A.exe
Analysis ID: 1670819
MD5: 6ef767084e7e1d69376e90229ba4313a
SHA1: 4e12ec87ed3b91e4ed3933f4f0caab9f0d8b672d
SHA256: 93121608e51deebc9509590a56c40bbe42e61ca4e26342122ecefd2db181d945
Tags: DarkTortillaexeuser-lowmal3
Infos:

Detection

DarkTortilla
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
.NET source code contains method to dynamically call methods (often used by packers)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Tries to delay execution (extensive OutputDebugStringW loop)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SGDT)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion NT Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Po Ord000393901A.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\selenom.exe Avira: detection malicious, Label: HEUR/AGEN.1306374
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\selenom.exe ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: Po Ord000393901A.exe Virustotal: Detection: 41% Perma Link
Source: Po Ord000393901A.exe ReversingLabs: Detection: 63%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.9%
Source: Po Ord000393901A.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16
Source: selenom.exe, 00000012.00000002.2546327100.0000000008077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.oenCi
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07239B88 CreateProcessAsUserW, 18_2_07239B88
Detected potential crypto function
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_04D081D0 0_2_04D081D0
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_04D08EB8 0_2_04D08EB8
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_04D08880 0_2_04D08880
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_04D05130 0_2_04D05130
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_04D05120 0_2_04D05120
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073D47F0 0_2_073D47F0
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073D47C8 0_2_073D47C8
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073DBBD4 0_2_073DBBD4
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073D6AA0 0_2_073D6AA0
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073D6A80 0_2_073D6A80
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073D0006 0_2_073D0006
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073D0040 0_2_073D0040
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_076E4688 0_2_076E4688
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_076E4678 0_2_076E4678
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_076EE370 0_2_076EE370
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0771F518 0_2_0771F518
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_07710040 0_2_07710040
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_07714418 0_2_07714418
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_07714408 0_2_07714408
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_077334ED 0_2_077334ED
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0773329E 0_2_0773329E
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_07730040 0_2_07730040
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_07730007 0_2_07730007
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_07733E5C 0_2_07733E5C
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_07736CC5 0_2_07736CC5
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C42B90 0_2_08C42B90
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C42ACF 0_2_08C42ACF
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C462EC 0_2_08C462EC
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C4B8F7 0_2_08C4B8F7
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C42A83 0_2_08C42A83
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C40040 0_2_08C40040
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C40013 0_2_08C40013
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C4A9D0 0_2_08C4A9D0
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C4A9E0 0_2_08C4A9E0
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C42B80 0_2_08C42B80
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C46398 0_2_08C46398
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C47F5F 0_2_08C47F5F
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C48178 0_2_08C48178
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C4E978 0_2_08C4E978
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C4B908 0_2_08C4B908
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C4F91D 0_2_08C4F91D
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C691F8 0_2_08C691F8
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C63D98 0_2_08C63D98
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C6B8D4 0_2_08C6B8D4
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C60040 0_2_08C60040
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C60011 0_2_08C60011
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C61BC3 0_2_08C61BC3
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C691E4 0_2_08C691E4
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C67FE0 0_2_08C67FE0
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C67FF0 0_2_08C67FF0
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C63D88 0_2_08C63D88
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C63596 0_2_08C63596
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C61D98 0_2_08C61D98
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C67D4E 0_2_08C67D4E
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C61D51 0_2_08C61D51
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C61D10 0_2_08C61D10
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08C6B918 0_2_08C6B918
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08CDBDD8 0_2_08CDBDD8
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08CD5498 0_2_08CD5498
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08CD0040 0_2_08CD0040
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08CD0006 0_2_08CD0006
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E04D30 0_2_08E04D30
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E0BD09 0_2_08E0BD09
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E0F4C0 0_2_08E0F4C0
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E0F4BD 0_2_08E0F4BD
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E00040 0_2_08E00040
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E0003F 0_2_08E0003F
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E061F7 0_2_08E061F7
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E06208 0_2_08E06208
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E0BE18 0_2_08E0BE18
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E0E7E1 0_2_08E0E7E1
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E0E7F0 0_2_08E0E7F0
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E067A8 0_2_08E067A8
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E067B8 0_2_08E067B8
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_090BA850 0_2_090BA850
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_090BBE0D 0_2_090BBE0D
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_090B8015 0_2_090B8015
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_090B0028 0_2_090B0028
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_090B2824 0_2_090B2824
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_090BA849 0_2_090BA849
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_090B51CE 0_2_090B51CE
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_090BBF65 0_2_090BBF65
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_090BD8FE 0_2_090BD8FE
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_09560040 0_2_09560040
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_09560006 0_2_09560006
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0956D3D1 0_2_0956D3D1
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0956B8C5 0_2_0956B8C5
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0956D3E0 0_2_0956D3E0
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0956B8E8 0_2_0956B8E8
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0956F7B9 0_2_0956F7B9
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0956B8A3 0_2_0956B8A3
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_095973D8 0_2_095973D8
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0959065A 0_2_0959065A
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0958E25E 0_2_0958E25E
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0959B754 0_2_0959B754
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_09590645 0_2_09590645
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0959F57D 0_2_0959F57D
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0959F5F1 0_2_0959F5F1
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0959B7F0 0_2_0959B7F0
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0958E273 0_2_0958E273
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0958BE77 0_2_0958BE77
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0959F610 0_2_0959F610
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0958BE8C 0_2_0958BE8C
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_09580006 0_2_09580006
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_09592A31 0_2_09592A31
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_095823B5 0_2_095823B5
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_09592A2C 0_2_09592A2C
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_09597E20 0_2_09597E20
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_09589BA3 0_2_09589BA3
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_095823A4 0_2_095823A4
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0959B7A7 0_2_0959B7A7
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_095929A6 0_2_095929A6
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_012B81C0 18_2_012B81C0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_012B8880 18_2_012B8880
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_012B5130 18_2_012B5130
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_012B5120 18_2_012B5120
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04F9E000 18_2_04F9E000
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04F9E358 18_2_04F9E358
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04F9E353 18_2_04F9E353
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FA5002 18_2_04FA5002
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FAE238 18_2_04FAE238
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FAE228 18_2_04FAE228
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FAE1C9 18_2_04FAE1C9
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FA0040 18_2_04FA0040
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FA0006 18_2_04FA0006
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FCBAB8 18_2_04FCBAB8
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FCD1D0 18_2_04FCD1D0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FCBA90 18_2_04FCBA90
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FCB000 18_2_04FCB000
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FC7278 18_2_04FC7278
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FC817B 18_2_04FC817B
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FC8180 18_2_04FC8180
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FC6001 18_2_04FC6001
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FC0040 18_2_04FC0040
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FC0024 18_2_04FC0024
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FDCE48 18_2_04FDCE48
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FDA948 18_2_04FDA948
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FDB840 18_2_04FDB840
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FDB829 18_2_04FDB829
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FDA929 18_2_04FDA929
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FDA002 18_2_04FDA002
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07232BC8 18_2_07232BC8
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07234A20 18_2_07234A20
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07238A79 18_2_07238A79
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0723A250 18_2_0723A250
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07237918 18_2_07237918
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07236720 18_2_07236720
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07236710 18_2_07236710
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07233BE0 18_2_07233BE0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07233BD0 18_2_07233BD0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07232A6D 18_2_07232A6D
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07237EBF 18_2_07237EBF
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07237909 18_2_07237909
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07230032 18_2_07230032
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0723843A 18_2_0723843A
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07230040 18_2_07230040
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07238448 18_2_07238448
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07237CE0 18_2_07237CE0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07237CD0 18_2_07237CD0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07AA0BA0 18_2_07AA0BA0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07AA0B70 18_2_07AA0B70
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07AC6001 18_2_07AC6001
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07AC4000 18_2_07AC4000
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07ACB000 18_2_07ACB000
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07ACE8B9 18_2_07ACE8B9
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07ACE8C8 18_2_07ACE8C8
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07C44688 18_2_07C44688
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07C44678 18_2_07C44678
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07C4E370 18_2_07C4E370
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07C80040 18_2_07C80040
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07C84008 18_2_07C84008
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07C84018 18_2_07C84018
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CCE978 18_2_07CCE978
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CCD000 18_2_07CCD000
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CC6019 18_2_07CC6019
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CC7F5F 18_2_07CC7F5F
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CC6398 18_2_07CC6398
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CCA001 18_2_07CCA001
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CCA9D0 18_2_07CCA9D0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CCA9E0 18_2_07CCA9E0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CF1BC3 18_2_07CF1BC3
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CF0040 18_2_07CF0040
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CF001B 18_2_07CF001B
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CF1D10 18_2_07CF1D10
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CF3000 18_2_07CF3000
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CFB001 18_2_07CFB001
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CF7003 18_2_07CF7003
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CF7FE0 18_2_07CF7FE0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CF7FF0 18_2_07CF7FF0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07D40040 18_2_07D40040
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07D43E5C 18_2_07D43E5C
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07D46CC5 18_2_07D46CC5
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07D434ED 18_2_07D434ED
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07D463C3 18_2_07D463C3
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07D4329E 18_2_07D4329E
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07D40006 18_2_07D40006
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_092E9001 18_2_092E9001
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_092E3001 18_2_092E3001
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_092EF000 18_2_092EF000
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940B058 18_2_0940B058
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940BA20 18_2_0940BA20
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09408B28 18_2_09408B28
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09409BC1 18_2_09409BC1
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940C8D0 18_2_0940C8D0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940A7E0 18_2_0940A7E0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940EF88 18_2_0940EF88
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09400040 18_2_09400040
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940E940 18_2_0940E940
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940375A 18_2_0940375A
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940EB68 18_2_0940EB68
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09403770 18_2_09403770
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940EB78 18_2_0940EB78
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09400006 18_2_09400006
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09406125 18_2_09406125
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940A728 18_2_0940A728
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940E931 18_2_0940E931
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09406138 18_2_09406138
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940C838 18_2_0940C838
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_094088CE 18_2_094088CE
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940EDE0 18_2_0940EDE0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940EDF0 18_2_0940EDF0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940E288 18_2_0940E288
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940E588 18_2_0940E588
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940E298 18_2_0940E298
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940D7A8 18_2_0940D7A8
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0940D7B8 18_2_0940D7B8
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09414D30 18_2_09414D30
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_094161F7 18_2_094161F7
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09414000 18_2_09414000
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09416208 18_2_09416208
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0941BD0B 18_2_0941BD0B
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09419001 18_2_09419001
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_098D0012 18_2_098D0012
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_098D0040 18_2_098D0040
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0990A000 18_2_0990A000
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0990F610 18_2_0990F610
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0990F5F1 18_2_0990F5F1
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_0990F000 18_2_0990F000
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_099073D8 18_2_099073D8
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_099073CB 18_2_099073CB
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09BE79B8 18_2_09BE79B8
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09BE99A8 18_2_09BE99A8
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09BEADA0 18_2_09BEADA0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09BE99D0 18_2_09BE99D0
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09BE003C 18_2_09BE003C
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09BEAD30 18_2_09BEAD30
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09BE8D20 18_2_09BE8D20
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09BE8D10 18_2_09BE8D10
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09BEAD50 18_2_09BEAD50
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_09BE0040 18_2_09BE0040
Sample file is different than original file name gathered from version info
Source: Po Ord000393901A.exe, 00000000.00000002.1658461822.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Po Ord000393901A.exe
Source: Po Ord000393901A.exe, 00000000.00000002.1672411214.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePragistar.dll4 vs Po Ord000393901A.exe
Source: Po Ord000393901A.exe, 00000000.00000002.1672411214.0000000006220000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAstronot plart.exe> vs Po Ord000393901A.exe
Source: Po Ord000393901A.exe, 00000000.00000002.1676810008.0000000007160000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamePragistar.dll4 vs Po Ord000393901A.exe
Source: Po Ord000393901A.exe, 00000000.00000002.1659140197.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAstronot plart.exe> vs Po Ord000393901A.exe
Source: Po Ord000393901A.exe, 00000000.00000002.1661626769.000000000419C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePragistar.dll4 vs Po Ord000393901A.exe
Source: Po Ord000393901A.exe, 00000000.00000002.1661626769.000000000419C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAstronot plart.exe> vs Po Ord000393901A.exe
Source: Po Ord000393901A.exe, 00000000.00000002.1661626769.00000000039BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePragistar.dll4 vs Po Ord000393901A.exe
Source: Po Ord000393901A.exe, 00000000.00000002.1659140197.0000000002B1B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAstronot plart.exe> vs Po Ord000393901A.exe
Source: Po Ord000393901A.exe, 00000000.00000002.1672411214.0000000005F43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePragistar.dll4 vs Po Ord000393901A.exe
Source: Po Ord000393901A.exe, 00000000.00000002.1672411214.0000000005F43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAstronot plart.exe> vs Po Ord000393901A.exe
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\selenom.exe,"
Source: classification engine Classification label: mal100.troj.evad.winEXE@19/6@0/1
Source: C:\Users\user\Desktop\Po Ord000393901A.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Po Ord000393901A.exe.log Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3528:120:WilError_03
Source: Po Ord000393901A.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Po Ord000393901A.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Po Ord000393901A.exe Virustotal: Detection: 41%
Source: Po Ord000393901A.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\Po Ord000393901A.exe File read: C:\Users\user\Desktop\Po Ord000393901A.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Po Ord000393901A.exe "C:\Users\user\Desktop\Po Ord000393901A.exe"
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\selenom.exe,"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\user\Desktop\Po Ord000393901A.exe" "C:\Users\user\AppData\Roaming\selenom.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\user\AppData\Roaming\selenom.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\selenom.exe,"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\selenom.exe "C:\Users\user\AppData\Roaming\selenom.exe"
Source: C:\Users\user\AppData\Roaming\selenom.exe Process created: C:\Users\user\AppData\Roaming\selenom.exe "C:\Users\user\AppData\Roaming\selenom.exe"
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\selenom.exe," Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\user\Desktop\Po Ord000393901A.exe" "C:\Users\user\AppData\Roaming\selenom.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\user\AppData\Roaming\selenom.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\selenom.exe," Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\selenom.exe "C:\Users\user\AppData\Roaming\selenom.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process created: C:\Users\user\AppData\Roaming\selenom.exe "C:\Users\user\AppData\Roaming\selenom.exe" Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Po Ord000393901A.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Po Ord000393901A.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Po Ord000393901A.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Po Ord000393901A.exe Static file information: File size 3034112 > 1048576
Source: Po Ord000393901A.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2e3000
Source: Po Ord000393901A.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected DarkTortilla Crypter
Source: Yara match File source: 0.2.Po Ord000393901A.exe.62201fa.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.selenom.exe.6a6624a.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.selenom.exe.6b1968a.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.43c63b0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.39bce50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.7160000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.7160000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.616cdba.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.4818ce2.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.selenom.exe.683cda8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.5f43918.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.45ef840.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.selenom.exe.63ea4a8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.5f43918.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.45ef840.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.3d138c2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.selenom.exe.63ea4a8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.selenom.exe.683cda8.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.39bce50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Po Ord000393901A.exe.43c63b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1672411214.0000000006220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2510804835.000000000353D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2536029133.0000000006B19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1659140197.0000000002B1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1676810008.0000000007160000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1672411214.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1659140197.0000000002D5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1661626769.0000000003CB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2536029133.000000000683C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2536029133.00000000063EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1661626769.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1672411214.0000000005F43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2510804835.000000000311C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1659140197.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2525361724.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1661626769.000000000419C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Po Ord000393901A.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: selenom.exe PID: 4408, type: MEMORYSTR
.NET source code contains method to dynamically call methods (often used by packers)
Source: Po Ord000393901A.exe, j2SZ.cs .Net Code: NewLateBinding.LateCall(d4A7, (Type)null, "Invoke", new object[2]{null,Py7f.r7S3()}, (string[])null, (Type[])null, (bool[])null, true)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073DCD7D pushfd ; iretd 0_2_073DCD7E
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073DC5FA push B415C069h; iretd 0_2_073DC5FF
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073DD2E9 push eax; retf 0_2_073DD2EA
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073DC0A9 pushad ; ret 0_2_073DC0AA
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_073DC8F5 push eax; ret 0_2_073DC8F6
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_074F5FD7 pushfd ; retf 0_2_074F5FD8
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_074FCE60 push eax; iretd 0_2_074FCE61
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_074F4C34 push edx; ret 0_2_074F4C36
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_074F6BD9 push eax; ret 0_2_074F6BDB
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_074F4879 push 58050396h; retf 0_2_074F4885
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_076E525C push FFFFFF8Bh; iretd 0_2_076E525E
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_07717D60 push E8FFFFF8h; iretd 0_2_07717D65
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08CD3D46 push edx; ret 0_2_08CD3D47
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08CD5365 push ebp; iretd 0_2_08CD5366
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_08E0DF55 push ecx; retf 0_2_08E0DF58
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0956B257 push 77683D13h; iretd 0_2_0956B265
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0956AAD1 push ebx; retf 0040h 0_2_0956AAE6
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0959B0B4 push D0456990h; retf 0_2_0959B0BE
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0959A522 push ss; retf 0_2_0959A535
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FABE91 push esi; iretd 18_2_04FABE93
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FA83FD pushad ; iretd 18_2_04FA83FE
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FC97A9 push ebp; iretd 18_2_04FC97AF
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FC9A9B push eax; iretd 18_2_04FC9AA1
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_04FC948C pushfd ; iretd 18_2_04FC9490
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07AA6477 pushfd ; retf 18_2_07AA6478
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07AAD300 push eax; iretd 18_2_07AAD301
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07AA50D4 push edx; ret 18_2_07AA50D6
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07AA7079 push eax; ret 18_2_07AA707B
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07C4525C push FFFFFF8Bh; iretd 18_2_07C4525E
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CC8327 push ecx; ret 18_2_07CC8329
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07CF9B96 push B8FFFFFFh; ret 18_2_07CF9B9B
Source: Po Ord000393901A.exe, m3ZFw1.cs High entropy of concatenated method names: 'Sx5b4L7P', 'd3Y9WnXf', 'Fb16Lng4', 'z1X3Epg6', 'b1P0LeYo', 'f1M0ZtSe', 'Gx05Hcg6', 'Gc67Drn9', 'o3Y1Jdj6', 'n8ACr7s9'
Source: Po Ord000393901A.exe, r5FAd78J.cs High entropy of concatenated method names: 'b4CLd1', 'Pw04Eg', 't0WGx9', 'Xz1r8H', 'c1LEs7', 'x2BJt0', 'Yw0i4J', 'Di40Xs', 'Mo98Gr', 'Wc57Ki'
Source: Po Ord000393901A.exe, Ri93XbBg.cs High entropy of concatenated method names: 'Nn8m', 'i1RP', 'f2SZ', 'k0J5Lam9', 'j4P1Kqz9', 'e0GWk91C', 'p9T8Wmx4', 'g7SEn4o5', 'Nk06PbEx', 'Wg1s0C8Q'
Source: Po Ord000393901A.exe, Py7f.cs High entropy of concatenated method names: 't4RE', 'm5H6', 'x6DS', 'Ma0d', 'b0D4', 'x1KD', 'p3S8', 'Pg0i', 'o3RGm0a4', 'x7Q4'
Source: 0.2.Po Ord000393901A.exe.2eaa4a8.1.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: 0.2.Po Ord000393901A.exe.2eaa4a8.1.raw.unpack, gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: 0.2.Po Ord000393901A.exe.2eaa4a8.1.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: 0.2.Po Ord000393901A.exe.62669b9.12.raw.unpack, rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: 0.2.Po Ord000393901A.exe.62669b9.12.raw.unpack, gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: 0.2.Po Ord000393901A.exe.62669b9.12.raw.unpack, tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '_5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\selenom.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\reg.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Po Ord000393901A.exe File opened: C:\Users\user\Desktop\Po Ord000393901A.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe File opened: C:\Users\user\AppData\Roaming\selenom.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Po Ord000393901A.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: selenom.exe PID: 4408, type: MEMORYSTR
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\AppData\Roaming\selenom.exe Section loaded: OutputDebugStringW count: 107
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18 Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Memory allocated: F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Memory allocated: 28C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Memory allocated: F60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Memory allocated: 5AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Memory allocated: 6AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Memory allocated: 12B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Memory allocated: 2F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Memory allocated: 4F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Memory allocated: 61C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Memory allocated: 71C0000 memory reserve | memory write watch Jump to behavior
Contains functionality to detect virtual machines (SGDT)
Source: C:\Users\user\AppData\Roaming\selenom.exe Code function: 18_2_07C4C398 sgdt fword ptr [eax] 18_2_07C4C398
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Window / User API: threadDelayed 1029 Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Window / User API: threadDelayed 7747 Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Window / User API: threadDelayed 8331 Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Window / User API: threadDelayed 770 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Po Ord000393901A.exe TID: 6324 Thread sleep time: -38000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe TID: 5892 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe TID: 7112 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe TID: 5824 Thread sleep time: -64000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe TID: 5024 Thread sleep time: -23058430092136925s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe TID: 5024 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\selenom.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Po Ord000393901A.exe, 00000000.00000002.1672411214.0000000005AF1000.00000004.00000800.00020000.00000000.sdmp, Po Ord000393901A.exe, 00000000.00000002.1676810008.0000000007160000.00000004.08000000.00040000.00000000.sdmp, Po Ord000393901A.exe, 00000000.00000002.1661626769.000000000419C000.00000004.00000800.00020000.00000000.sdmp, Po Ord000393901A.exe, 00000000.00000002.1661626769.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, Po Ord000393901A.exe, 00000000.00000002.1672411214.0000000005F43000.00000004.00000800.00020000.00000000.sdmp, selenom.exe, 00000012.00000002.2536029133.000000000683C000.00000004.00000800.00020000.00000000.sdmp, selenom.exe, 00000012.00000002.2536029133.00000000063EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBoxTray
Source: selenom.exe, 00000012.00000002.2536029133.00000000063EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 1937121171GSOFTWARE\VMware, Inc.\VMware VGAuth
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Code function: 0_2_0773A110 CheckRemoteDebuggerPresent, 0_2_0773A110
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\selenom.exe Memory written: C:\Users\user\AppData\Roaming\selenom.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\selenom.exe," Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\user\Desktop\Po Ord000393901A.exe" "C:\Users\user\AppData\Roaming\selenom.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\user\AppData\Roaming\selenom.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 16 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\selenom.exe," Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 18 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\selenom.exe "C:\Users\user\AppData\Roaming\selenom.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Process created: C:\Users\user\AppData\Roaming\selenom.exe "C:\Users\user\AppData\Roaming\selenom.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Queries volume information: C:\Users\user\Desktop\Po Ord000393901A.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Queries volume information: C:\Users\user\AppData\Roaming\selenom.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\selenom.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Po Ord000393901A.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1670819 Sample: Po Ord000393901A.exe Startdate: 22/04/2025 Architecture: WINDOWS Score: 100 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected DarkTortilla Crypter 2->48 50 4 other signatures 2->50 8 Po Ord000393901A.exe 3 2->8         started        process3 file4 36 C:\Users\user\...\Po Ord000393901A.exe.log, ASCII 8->36 dropped 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->62 12 cmd.exe 3 8->12         started        16 cmd.exe 1 8->16         started        signatures5 process6 file7 38 C:\Users\user\AppData\Roaming\selenom.exe, PE32 12->38 dropped 40 C:\Users\user\...\selenom.exe:Zone.Identifier, ASCII 12->40 dropped 64 Uses ping.exe to sleep 12->64 18 selenom.exe 2 12->18         started        21 conhost.exe 12->21         started        23 PING.EXE 1 12->23         started        25 PING.EXE 1 12->25         started        66 Uses ping.exe to check the status of other devices and networks 16->66 27 reg.exe 1 1 16->27         started        29 PING.EXE 1 16->29         started        32 conhost.exe 16->32         started        signatures8 process9 dnsIp10 52 Antivirus detection for dropped file 18->52 54 Multi AV Scanner detection for dropped file 18->54 56 Tries to delay execution (extensive OutputDebugStringW loop) 18->56 60 2 other signatures 18->60 34 selenom.exe 18->34         started        58 Creates an undocumented autostart registry key 27->58 42 127.0.0.1 unknown unknown 29->42 signatures11 process12

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
127.0.0.1