Windows Analysis Report
SOA AUG 2024 - CMA CGM.exe

Overview

General Information

Sample name: SOA AUG 2024 - CMA CGM.exe
Analysis ID: 1524994
MD5: 47f67ecfb3eb722a3d7aefb8b5ac8b54
SHA1: 78da020402a8413cdf7d663a196c9ce46577bdbb
SHA256: a327355ae6e99929d1303a762ea8a936d8e4884f45d683de08dba6882c1c016d
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SOA AUG 2024 - CMA CGM.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Avira: detection malicious, Label: HEUR/AGEN.1305639
Found malware configuration
Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.f6b-crxy.top/cu29/"], "decoy": ["qidr.shop", "usinessaviationconsulting.net", "68716329.xyz", "nd-los.net", "ealthironcladguarantee.shop", "oftware-download-69354.bond", "48372305.top", "omeownershub.top", "mall-chilli.top", "ajakgoid.online", "ire-changer-53482.bond", "rugsrx.shop", "oyang123.info", "azino-forum-pro.online", "817715.rest", "layman.vip", "eb777.club", "ovatonica.net", "urgaslotvip.website", "inn-paaaa.buzz", "reativedreams.design", "upremehomes.shop", "ames-saaab.buzz", "phonelock.xyz", "ideandseekvacations.xyz", "77179ksuhr.top", "ental-bridges-87553.bond", "7win2.bet", "ainan.company", "5mwhs.top", "hopp9.top", "65fhgejd3.xyz", "olandopaintingllc.online", "n-wee.buzz", "reshcasinoinfo2.top", "5734.party", "qtbyj.live", "gil.lat", "siabgc4d.online", "fios.top", "sed-cars-89003.bond", "nlineschools-2507-001-sap.click", "upiloffatemotors.online", "ordf.top", "achhonglan.shop", "irex.info", "oursmile.vip", "leachlondonstore.online", "asukacro.online", "panish-classes-64045.bond", "apita.top", "srtio.xyz", "kdsclci.bond", "ochacha.sbs", "oldsteps.buzz", "yzq0n.top", "npostl.xyz", "ladder-cancer-symptoms-mine.sbs", "400725iimfyuj120.top", "3589.photo", "rasilhojenoticias.online", "ependableequipment.online", "itusbandar126.info", "ohns.app"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: SOA AUG 2024 - CMA CGM.exe ReversingLabs: Detection: 32%
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SOA AUG 2024 - CMA CGM.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SOA AUG 2024 - CMA CGM.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SOA AUG 2024 - CMA CGM.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: xDnL.pdbSHA256 source: SOA AUG 2024 - CMA CGM.exe, tshjuqE.exe.0.dr
Source: Binary string: xDnL.pdb source: SOA AUG 2024 - CMA CGM.exe, tshjuqE.exe.0.dr

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.f6b-crxy.top/cu29/
Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000002.2198245825.0000000002C88000.00000004.00000800.00020000.00000000.sdmp, tshjuqE.exe, 0000000D.00000002.2237054846.0000000002D60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SOA AUG 2024 - CMA CGM.exe PID: 1664, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: tshjuqE.exe PID: 7020, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_00F3D5BC 0_2_00F3D5BC
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_06F35AF0 0_2_06F35AF0
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_06F351D0 0_2_06F351D0
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_06F351CE 0_2_06F351CE
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_06F34D98 0_2_06F34D98
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_06F36D10 0_2_06F36D10
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_06F36D03 0_2_06F36D03
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_06F368D8 0_2_06F368D8
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_06F368C8 0_2_06F368C8
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_06F37870 0_2_06F37870
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_012FD5BC 13_2_012FD5BC
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_052A6BE0 13_2_052A6BE0
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_052A0006 13_2_052A0006
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_052A0040 13_2_052A0040
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_052A6BD0 13_2_052A6BD0
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_09A668C8 13_2_09A668C8
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_09A668D8 13_2_09A668D8
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_09A67870 13_2_09A67870
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_09A64D98 13_2_09A64D98
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_09A66D03 13_2_09A66D03
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_09A66D10 13_2_09A66D10
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_09A651C1 13_2_09A651C1
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_09A651D0 13_2_09A651D0
Sample file is different than original file name gathered from version info
Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000002.2196197377.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SOA AUG 2024 - CMA CGM.exe
Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000002.2199060259.0000000004292000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SOA AUG 2024 - CMA CGM.exe
Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000002.2207628306.0000000006EB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SOA AUG 2024 - CMA CGM.exe
Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000000.2167723438.0000000000662000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamexDnL.exe@ vs SOA AUG 2024 - CMA CGM.exe
Source: SOA AUG 2024 - CMA CGM.exe Binary or memory string: OriginalFilenamexDnL.exe@ vs SOA AUG 2024 - CMA CGM.exe
Uses 32bit PE files
Source: SOA AUG 2024 - CMA CGM.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SOA AUG 2024 - CMA CGM.exe PID: 1664, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: tshjuqE.exe PID: 7020, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: SOA AUG 2024 - CMA CGM.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: tshjuqE.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uXuEVJYnGaFBaKDp8b.cs Security API names: _0020.SetAccessControl
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uXuEVJYnGaFBaKDp8b.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uXuEVJYnGaFBaKDp8b.cs Security API names: _0020.AddAccessRule
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, cCyHacXQqIaKEQ3ts3.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uXuEVJYnGaFBaKDp8b.cs Security API names: _0020.SetAccessControl
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uXuEVJYnGaFBaKDp8b.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uXuEVJYnGaFBaKDp8b.cs Security API names: _0020.AddAccessRule
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uXuEVJYnGaFBaKDp8b.cs Security API names: _0020.SetAccessControl
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uXuEVJYnGaFBaKDp8b.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uXuEVJYnGaFBaKDp8b.cs Security API names: _0020.AddAccessRule
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, cCyHacXQqIaKEQ3ts3.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, cCyHacXQqIaKEQ3ts3.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@32/11@0/0
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: C:\Users\user\AppData\Roaming\tshjuqE.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2532:120:WilError_03
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Mutant created: \Sessions\1\BaseNamedObjects\CkAJOWvyvxyjlP
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:800:120:WilError_03
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: C:\Users\user\AppData\Local\Temp\tmp561C.tmp Jump to behavior
Source: SOA AUG 2024 - CMA CGM.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SOA AUG 2024 - CMA CGM.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SOA AUG 2024 - CMA CGM.exe ReversingLabs: Detection: 32%
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File read: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe "C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe"
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\tshjuqE.exe C:\Users\user\AppData\Roaming\tshjuqE.exe
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp6484.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp6484.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SOA AUG 2024 - CMA CGM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SOA AUG 2024 - CMA CGM.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SOA AUG 2024 - CMA CGM.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: xDnL.pdbSHA256 source: SOA AUG 2024 - CMA CGM.exe, tshjuqE.exe.0.dr
Source: Binary string: xDnL.pdb source: SOA AUG 2024 - CMA CGM.exe, tshjuqE.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SOA AUG 2024 - CMA CGM.exe, Form1.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: tshjuqE.exe.0.dr, Form1.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.5480000.3.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uXuEVJYnGaFBaKDp8b.cs .Net Code: Fahm2Xdy1W System.Reflection.Assembly.Load(byte[])
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uXuEVJYnGaFBaKDp8b.cs .Net Code: Fahm2Xdy1W System.Reflection.Assembly.Load(byte[])
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.3a7a190.0.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uXuEVJYnGaFBaKDp8b.cs .Net Code: Fahm2Xdy1W System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: SOA AUG 2024 - CMA CGM.exe Static PE information: 0x83A554D2 [Wed Dec 28 02:00:50 2039 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_06F3E6C5 push FFFFFF8Bh; iretd 0_2_06F3E6C7
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Code function: 13_2_09A6D84B push edx; iretd 13_2_09A6D853
Source: SOA AUG 2024 - CMA CGM.exe Static PE information: section name: .text entropy: 7.4353031245498595
Source: tshjuqE.exe.0.dr Static PE information: section name: .text entropy: 7.4353031245498595
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, cCyHacXQqIaKEQ3ts3.cs High entropy of concatenated method names: 'T5ZKiul9w5', 'TNJKd0eOon', 'Wj7KxmnOpR', 'pa2KDJCvPq', 'zs3KBvE8LZ', 'HqHKlF5M5V', 'ra2KvRuCkc', 'fQIKSL6yl2', 'EemK9FfCKR', 'AbMKyZEhy1'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, d3t4KKy6Wj4hgeS3Uv.cs High entropy of concatenated method names: 'QJQMNWY7VD', 'GKfMuol7x0', 'PUtMm1Xfol', 'atuMQ94CDr', 'iOlMKQ6cWr', 'dreMflghpZ', 'mdIMTUAejY', 'mnr6vbEHaN', 'Dr06SgHy71', 'wFr69h42rc'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, zciFvOiwo9ZSlZnDPZ.cs High entropy of concatenated method names: 'esUt0VuuqC', 'eTBtqbP1dX', 'p51ti6YjDJ', 'klxtd3p7ap', 'aiXtOn2wLD', 'jrXtInOI3m', 'shAtowMc4T', 'DrYtr8yooD', 'sWutUUw4hk', 'vSVtsdHgUX'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, x8Yo0oHHXG0s7FUJ9Q.cs High entropy of concatenated method names: 'WlMp4sAudZ', 'sLopkraDYK', 'HTNp2Ujpk7', 'LhGpnCKCIo', 'sVlpGUEcXx', 'zVnpLhNqkr', 'wDtp7UhqKw', 'QJYpXth3ln', 'ARypWE3eFn', 'sadpA30utZ'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, JnmGFKWib9eD7ChHAA.cs High entropy of concatenated method names: 'GqFhn0bLG0', 'UW9hLs3nO2', 'X6ThX9iblv', 'zDWhW64Z1S', 'GpyhtGNUfx', 'c9Ihec6YW6', 'NM2hR8FcTP', 'k1Ph6R00Af', 'tPLhMJ9K06', 'hXfhaxJXSO'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, CBbDDLh3T1HHjGj3XY.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'N8qZ9ClGIm', 'a94ZyYVNYI', 'Fb8ZzMo54B', 'ngruJeqdga', 'nNSuNv5Jov', 'PTpuZXw626', 'hRkuuJ48Ds', 'yun7yn6KnjhQi6M6r4S'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, Usy8xc9q95ZgDBOvJC.cs High entropy of concatenated method names: 'et86F85T0S', 'BBM6OJ1oWf', 'JrZ6IA5cTu', 'F9b6oioUGw', 'BIk6iiAteD', 'C9h6rmfhBe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uWu4cpAWnL9t27jHRw.cs High entropy of concatenated method names: 'PqTfGX4I4h', 'iOJf7OxpHM', 'hK0hI0F1DQ', 'KrghofWOMx', 'GIVhrSXVIg', 'ssEhUAhXTP', 'Xfxhs8Imbd', 'So6hglY4J2', 'mCNhHCneh7', 'de8h0ScsrL'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, sMoq8Am4iwZbrHdDBy.cs High entropy of concatenated method names: 'DQZNpCyHac', 'fqINYaKEQ3', 'fibNC9eD7C', 'hHANcAjWu4', 'CjHNtRwQS3', 'kGWNeRr3k4', 'm0MmosiB7xtnAQrqcM', 'aJGWYQRlxsL1i17ttg', 'VR5NNdPnr0', 'rTUNuGJJjD'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, tmba8aKoYgmuspHOI7.cs High entropy of concatenated method names: 'Dispose', 'KBbN9X7tnu', 'tgGZOGyucA', 'yFnjjNNlEl', 'eODNyFSXSy', 'ew8NzjB90a', 'ProcessDialogKey', 'VrlZJsy8xc', 'P95ZNZgDBO', 'WJCZZm3t4K'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, zHT6DHZnyWJKdNK2sX.cs High entropy of concatenated method names: 'LHf2gXUAn', 'SScn6MkqW', 'AfRLgOHA9', 'c2c7XsXcS', 'wDUWGYxZ8', 'StqA7B7Js', 'Cdswxit9fpJlVxSigT', 'GEukvuyywFcxUhO4LB', 'oX96yTtly', 'SU2aXQFsI'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, DiP8u5scXVdht105uc.cs High entropy of concatenated method names: 'Mg5pQj7xWO', 'AIaphLJHZn', 'UbspT6a2g9', 'TdrTy2uJ8g', 'GoJTz2NLcq', 't2spJTB9tW', 'wudpNCnUK9', 'VjZpZAV4ZK', 'LfCpukvNW9', 'HxCpmqWgua'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, HDFSXSSy8w8jB90alr.cs High entropy of concatenated method names: 'Ljx6QsXD48', 'oQO6KqToO5', 'FM26hTeIH6', 'zHZ6fPV5mc', 'Bdo6T2UJQX', 'u5T6p9f6Yo', 'A6M6Yx1xZ2', 'NEF6PvjXih', 'MFI6Crhfmn', 'jQ56cu2Arv'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, k1yQAcDpXg7eQjOkuo.cs High entropy of concatenated method names: 'JheRCoicpK', 'h6KRccfCwM', 'ToString', 'Hu2RQUyL72', 'XCkRKZQu7I', 'EBlRh9CgQW', 'ESmRflWfWp', 'eHtRTd0dKc', 'iq5RpPyVrL', 'qxnRYg6FFs'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, X7Uu1qE879aj56n2V0.cs High entropy of concatenated method names: 'f6IVXHTOKd', 'JGAVWukYwT', 'r8DVFWaZJJ', 'O8WVOeV0o3', 'kohVoYM1yM', 'nrqVrP4cra', 'BbeVs9DZ3P', 'qy9VgdB5ry', 'YiiV04jeRg', 'idOV1t6Sne'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, fS3pGWFRr3k4JUXevA.cs High entropy of concatenated method names: 'JjdT8W22us', 'chPTKFOBaQ', 'ebBTfcGB12', 'AINTpeO8oN', 'yeyTYnKclP', 'LIbfBluxcu', 'vGyflV2bmd', 'CTqfvWQD6p', 'Ox7fSxjPpO', 'uE8f98Iyls'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, F3aJXZzuIpt84KtsRb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bY9MVSsBDf', 'vQ1Mteo6nd', 'iQXMelKp9E', 'o7eMRAXlSB', 'lfPM6G4KL7', 'qPmMMM6Yle', 'tIPMaFFRiM'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, V0QIKVNJlnuseHsku9S.cs High entropy of concatenated method names: 'Hu0M47SvJP', 'AJLMkHdraI', 'ITSM2USitb', 'FQRMnL44D0', 'qYmMGR2oD2', 'G12MLP6nMx', 'bMKM7qQ5DX', 'TDHMXnDBmS', 'oSQMWrGC9m', 'd8GMAqvmaU'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, gTkiDHNunwAqWKt01i4.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r7maiHV5ef', 'vygadScT5T', 'KsSaxoeEU4', 'yPGaDv1oGl', 'KaqaB5vXBj', 'ObealXyqkI', 'os1avpgqkb'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.6eb0000.4.raw.unpack, uXuEVJYnGaFBaKDp8b.cs High entropy of concatenated method names: 'sSTu8Dr9s1', 'ntEuQQ37kN', 'eoMuKIu7jd', 'HPluhKMtSQ', 'I7ZufxmqMB', 'nhQuTrf317', 'k88upVfORA', 'C3DuYngqNT', 'K0QuPHCIPv', 'NJVuCvnNhw'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, cCyHacXQqIaKEQ3ts3.cs High entropy of concatenated method names: 'T5ZKiul9w5', 'TNJKd0eOon', 'Wj7KxmnOpR', 'pa2KDJCvPq', 'zs3KBvE8LZ', 'HqHKlF5M5V', 'ra2KvRuCkc', 'fQIKSL6yl2', 'EemK9FfCKR', 'AbMKyZEhy1'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, d3t4KKy6Wj4hgeS3Uv.cs High entropy of concatenated method names: 'QJQMNWY7VD', 'GKfMuol7x0', 'PUtMm1Xfol', 'atuMQ94CDr', 'iOlMKQ6cWr', 'dreMflghpZ', 'mdIMTUAejY', 'mnr6vbEHaN', 'Dr06SgHy71', 'wFr69h42rc'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, zciFvOiwo9ZSlZnDPZ.cs High entropy of concatenated method names: 'esUt0VuuqC', 'eTBtqbP1dX', 'p51ti6YjDJ', 'klxtd3p7ap', 'aiXtOn2wLD', 'jrXtInOI3m', 'shAtowMc4T', 'DrYtr8yooD', 'sWutUUw4hk', 'vSVtsdHgUX'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, x8Yo0oHHXG0s7FUJ9Q.cs High entropy of concatenated method names: 'WlMp4sAudZ', 'sLopkraDYK', 'HTNp2Ujpk7', 'LhGpnCKCIo', 'sVlpGUEcXx', 'zVnpLhNqkr', 'wDtp7UhqKw', 'QJYpXth3ln', 'ARypWE3eFn', 'sadpA30utZ'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, JnmGFKWib9eD7ChHAA.cs High entropy of concatenated method names: 'GqFhn0bLG0', 'UW9hLs3nO2', 'X6ThX9iblv', 'zDWhW64Z1S', 'GpyhtGNUfx', 'c9Ihec6YW6', 'NM2hR8FcTP', 'k1Ph6R00Af', 'tPLhMJ9K06', 'hXfhaxJXSO'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, CBbDDLh3T1HHjGj3XY.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'N8qZ9ClGIm', 'a94ZyYVNYI', 'Fb8ZzMo54B', 'ngruJeqdga', 'nNSuNv5Jov', 'PTpuZXw626', 'hRkuuJ48Ds', 'yun7yn6KnjhQi6M6r4S'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, Usy8xc9q95ZgDBOvJC.cs High entropy of concatenated method names: 'et86F85T0S', 'BBM6OJ1oWf', 'JrZ6IA5cTu', 'F9b6oioUGw', 'BIk6iiAteD', 'C9h6rmfhBe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uWu4cpAWnL9t27jHRw.cs High entropy of concatenated method names: 'PqTfGX4I4h', 'iOJf7OxpHM', 'hK0hI0F1DQ', 'KrghofWOMx', 'GIVhrSXVIg', 'ssEhUAhXTP', 'Xfxhs8Imbd', 'So6hglY4J2', 'mCNhHCneh7', 'de8h0ScsrL'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, sMoq8Am4iwZbrHdDBy.cs High entropy of concatenated method names: 'DQZNpCyHac', 'fqINYaKEQ3', 'fibNC9eD7C', 'hHANcAjWu4', 'CjHNtRwQS3', 'kGWNeRr3k4', 'm0MmosiB7xtnAQrqcM', 'aJGWYQRlxsL1i17ttg', 'VR5NNdPnr0', 'rTUNuGJJjD'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, tmba8aKoYgmuspHOI7.cs High entropy of concatenated method names: 'Dispose', 'KBbN9X7tnu', 'tgGZOGyucA', 'yFnjjNNlEl', 'eODNyFSXSy', 'ew8NzjB90a', 'ProcessDialogKey', 'VrlZJsy8xc', 'P95ZNZgDBO', 'WJCZZm3t4K'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, zHT6DHZnyWJKdNK2sX.cs High entropy of concatenated method names: 'LHf2gXUAn', 'SScn6MkqW', 'AfRLgOHA9', 'c2c7XsXcS', 'wDUWGYxZ8', 'StqA7B7Js', 'Cdswxit9fpJlVxSigT', 'GEukvuyywFcxUhO4LB', 'oX96yTtly', 'SU2aXQFsI'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, DiP8u5scXVdht105uc.cs High entropy of concatenated method names: 'Mg5pQj7xWO', 'AIaphLJHZn', 'UbspT6a2g9', 'TdrTy2uJ8g', 'GoJTz2NLcq', 't2spJTB9tW', 'wudpNCnUK9', 'VjZpZAV4ZK', 'LfCpukvNW9', 'HxCpmqWgua'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, HDFSXSSy8w8jB90alr.cs High entropy of concatenated method names: 'Ljx6QsXD48', 'oQO6KqToO5', 'FM26hTeIH6', 'zHZ6fPV5mc', 'Bdo6T2UJQX', 'u5T6p9f6Yo', 'A6M6Yx1xZ2', 'NEF6PvjXih', 'MFI6Crhfmn', 'jQ56cu2Arv'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, k1yQAcDpXg7eQjOkuo.cs High entropy of concatenated method names: 'JheRCoicpK', 'h6KRccfCwM', 'ToString', 'Hu2RQUyL72', 'XCkRKZQu7I', 'EBlRh9CgQW', 'ESmRflWfWp', 'eHtRTd0dKc', 'iq5RpPyVrL', 'qxnRYg6FFs'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, X7Uu1qE879aj56n2V0.cs High entropy of concatenated method names: 'f6IVXHTOKd', 'JGAVWukYwT', 'r8DVFWaZJJ', 'O8WVOeV0o3', 'kohVoYM1yM', 'nrqVrP4cra', 'BbeVs9DZ3P', 'qy9VgdB5ry', 'YiiV04jeRg', 'idOV1t6Sne'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, fS3pGWFRr3k4JUXevA.cs High entropy of concatenated method names: 'JjdT8W22us', 'chPTKFOBaQ', 'ebBTfcGB12', 'AINTpeO8oN', 'yeyTYnKclP', 'LIbfBluxcu', 'vGyflV2bmd', 'CTqfvWQD6p', 'Ox7fSxjPpO', 'uE8f98Iyls'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, F3aJXZzuIpt84KtsRb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bY9MVSsBDf', 'vQ1Mteo6nd', 'iQXMelKp9E', 'o7eMRAXlSB', 'lfPM6G4KL7', 'qPmMMM6Yle', 'tIPMaFFRiM'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, V0QIKVNJlnuseHsku9S.cs High entropy of concatenated method names: 'Hu0M47SvJP', 'AJLMkHdraI', 'ITSM2USitb', 'FQRMnL44D0', 'qYmMGR2oD2', 'G12MLP6nMx', 'bMKM7qQ5DX', 'TDHMXnDBmS', 'oSQMWrGC9m', 'd8GMAqvmaU'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, gTkiDHNunwAqWKt01i4.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r7maiHV5ef', 'vygadScT5T', 'KsSaxoeEU4', 'yPGaDv1oGl', 'KaqaB5vXBj', 'ObealXyqkI', 'os1avpgqkb'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44642b0.2.raw.unpack, uXuEVJYnGaFBaKDp8b.cs High entropy of concatenated method names: 'sSTu8Dr9s1', 'ntEuQQ37kN', 'eoMuKIu7jd', 'HPluhKMtSQ', 'I7ZufxmqMB', 'nhQuTrf317', 'k88upVfORA', 'C3DuYngqNT', 'K0QuPHCIPv', 'NJVuCvnNhw'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, cCyHacXQqIaKEQ3ts3.cs High entropy of concatenated method names: 'T5ZKiul9w5', 'TNJKd0eOon', 'Wj7KxmnOpR', 'pa2KDJCvPq', 'zs3KBvE8LZ', 'HqHKlF5M5V', 'ra2KvRuCkc', 'fQIKSL6yl2', 'EemK9FfCKR', 'AbMKyZEhy1'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, d3t4KKy6Wj4hgeS3Uv.cs High entropy of concatenated method names: 'QJQMNWY7VD', 'GKfMuol7x0', 'PUtMm1Xfol', 'atuMQ94CDr', 'iOlMKQ6cWr', 'dreMflghpZ', 'mdIMTUAejY', 'mnr6vbEHaN', 'Dr06SgHy71', 'wFr69h42rc'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, zciFvOiwo9ZSlZnDPZ.cs High entropy of concatenated method names: 'esUt0VuuqC', 'eTBtqbP1dX', 'p51ti6YjDJ', 'klxtd3p7ap', 'aiXtOn2wLD', 'jrXtInOI3m', 'shAtowMc4T', 'DrYtr8yooD', 'sWutUUw4hk', 'vSVtsdHgUX'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, x8Yo0oHHXG0s7FUJ9Q.cs High entropy of concatenated method names: 'WlMp4sAudZ', 'sLopkraDYK', 'HTNp2Ujpk7', 'LhGpnCKCIo', 'sVlpGUEcXx', 'zVnpLhNqkr', 'wDtp7UhqKw', 'QJYpXth3ln', 'ARypWE3eFn', 'sadpA30utZ'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, JnmGFKWib9eD7ChHAA.cs High entropy of concatenated method names: 'GqFhn0bLG0', 'UW9hLs3nO2', 'X6ThX9iblv', 'zDWhW64Z1S', 'GpyhtGNUfx', 'c9Ihec6YW6', 'NM2hR8FcTP', 'k1Ph6R00Af', 'tPLhMJ9K06', 'hXfhaxJXSO'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, CBbDDLh3T1HHjGj3XY.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'N8qZ9ClGIm', 'a94ZyYVNYI', 'Fb8ZzMo54B', 'ngruJeqdga', 'nNSuNv5Jov', 'PTpuZXw626', 'hRkuuJ48Ds', 'yun7yn6KnjhQi6M6r4S'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, Usy8xc9q95ZgDBOvJC.cs High entropy of concatenated method names: 'et86F85T0S', 'BBM6OJ1oWf', 'JrZ6IA5cTu', 'F9b6oioUGw', 'BIk6iiAteD', 'C9h6rmfhBe', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uWu4cpAWnL9t27jHRw.cs High entropy of concatenated method names: 'PqTfGX4I4h', 'iOJf7OxpHM', 'hK0hI0F1DQ', 'KrghofWOMx', 'GIVhrSXVIg', 'ssEhUAhXTP', 'Xfxhs8Imbd', 'So6hglY4J2', 'mCNhHCneh7', 'de8h0ScsrL'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, sMoq8Am4iwZbrHdDBy.cs High entropy of concatenated method names: 'DQZNpCyHac', 'fqINYaKEQ3', 'fibNC9eD7C', 'hHANcAjWu4', 'CjHNtRwQS3', 'kGWNeRr3k4', 'm0MmosiB7xtnAQrqcM', 'aJGWYQRlxsL1i17ttg', 'VR5NNdPnr0', 'rTUNuGJJjD'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, tmba8aKoYgmuspHOI7.cs High entropy of concatenated method names: 'Dispose', 'KBbN9X7tnu', 'tgGZOGyucA', 'yFnjjNNlEl', 'eODNyFSXSy', 'ew8NzjB90a', 'ProcessDialogKey', 'VrlZJsy8xc', 'P95ZNZgDBO', 'WJCZZm3t4K'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, zHT6DHZnyWJKdNK2sX.cs High entropy of concatenated method names: 'LHf2gXUAn', 'SScn6MkqW', 'AfRLgOHA9', 'c2c7XsXcS', 'wDUWGYxZ8', 'StqA7B7Js', 'Cdswxit9fpJlVxSigT', 'GEukvuyywFcxUhO4LB', 'oX96yTtly', 'SU2aXQFsI'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, DiP8u5scXVdht105uc.cs High entropy of concatenated method names: 'Mg5pQj7xWO', 'AIaphLJHZn', 'UbspT6a2g9', 'TdrTy2uJ8g', 'GoJTz2NLcq', 't2spJTB9tW', 'wudpNCnUK9', 'VjZpZAV4ZK', 'LfCpukvNW9', 'HxCpmqWgua'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, HDFSXSSy8w8jB90alr.cs High entropy of concatenated method names: 'Ljx6QsXD48', 'oQO6KqToO5', 'FM26hTeIH6', 'zHZ6fPV5mc', 'Bdo6T2UJQX', 'u5T6p9f6Yo', 'A6M6Yx1xZ2', 'NEF6PvjXih', 'MFI6Crhfmn', 'jQ56cu2Arv'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, k1yQAcDpXg7eQjOkuo.cs High entropy of concatenated method names: 'JheRCoicpK', 'h6KRccfCwM', 'ToString', 'Hu2RQUyL72', 'XCkRKZQu7I', 'EBlRh9CgQW', 'ESmRflWfWp', 'eHtRTd0dKc', 'iq5RpPyVrL', 'qxnRYg6FFs'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, X7Uu1qE879aj56n2V0.cs High entropy of concatenated method names: 'f6IVXHTOKd', 'JGAVWukYwT', 'r8DVFWaZJJ', 'O8WVOeV0o3', 'kohVoYM1yM', 'nrqVrP4cra', 'BbeVs9DZ3P', 'qy9VgdB5ry', 'YiiV04jeRg', 'idOV1t6Sne'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, fS3pGWFRr3k4JUXevA.cs High entropy of concatenated method names: 'JjdT8W22us', 'chPTKFOBaQ', 'ebBTfcGB12', 'AINTpeO8oN', 'yeyTYnKclP', 'LIbfBluxcu', 'vGyflV2bmd', 'CTqfvWQD6p', 'Ox7fSxjPpO', 'uE8f98Iyls'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, F3aJXZzuIpt84KtsRb.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bY9MVSsBDf', 'vQ1Mteo6nd', 'iQXMelKp9E', 'o7eMRAXlSB', 'lfPM6G4KL7', 'qPmMMM6Yle', 'tIPMaFFRiM'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, V0QIKVNJlnuseHsku9S.cs High entropy of concatenated method names: 'Hu0M47SvJP', 'AJLMkHdraI', 'ITSM2USitb', 'FQRMnL44D0', 'qYmMGR2oD2', 'G12MLP6nMx', 'bMKM7qQ5DX', 'TDHMXnDBmS', 'oSQMWrGC9m', 'd8GMAqvmaU'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, gTkiDHNunwAqWKt01i4.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r7maiHV5ef', 'vygadScT5T', 'KsSaxoeEU4', 'yPGaDv1oGl', 'KaqaB5vXBj', 'ObealXyqkI', 'os1avpgqkb'
Source: 0.2.SOA AUG 2024 - CMA CGM.exe.44d40d0.1.raw.unpack, uXuEVJYnGaFBaKDp8b.cs High entropy of concatenated method names: 'sSTu8Dr9s1', 'ntEuQQ37kN', 'eoMuKIu7jd', 'HPluhKMtSQ', 'I7ZufxmqMB', 'nhQuTrf317', 'k88upVfORA', 'C3DuYngqNT', 'K0QuPHCIPv', 'NJVuCvnNhw'
Creates processes with suspicious names
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: \soa aug 2024 - cma cgm.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe File created: C:\Users\user\AppData\Roaming\tshjuqE.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SOA AUG 2024 - CMA CGM.exe PID: 1664, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tshjuqE.exe PID: 7020, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Memory allocated: F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Memory allocated: 2A10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Memory allocated: 4A10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Memory allocated: 7960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Memory allocated: 8960000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Memory allocated: 8B10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Memory allocated: 9B10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Memory allocated: 9E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Memory allocated: AE70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Memory allocated: BE70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Memory allocated: 1140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Memory allocated: 2D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Memory allocated: 4D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Memory allocated: 7290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Memory allocated: 8290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Memory allocated: 8420000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Memory allocated: 9420000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Memory allocated: 9A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Memory allocated: AA70000 memory reserve | memory write watch Jump to behavior
Contains functionality to detect virtual machines (SIDT)
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Code function: 0_2_00F397A0 sidt fword ptr [edi] 0_2_00F397A0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6179 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3513 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe TID: 4156 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5696 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe TID: 1484 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SOA AUG 2024 - CMA CGM.exe, 00000000.00000002.2196556972.0000000000C96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33^
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe"
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tshjuqE.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp561C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tshjuqE" /XML "C:\Users\user\AppData\Local\Temp\tmp6484.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Queries volume information: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Queries volume information: C:\Users\user\AppData\Roaming\tshjuqE.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tshjuqE.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA AUG 2024 - CMA CGM.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.2237982312.000000000461B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2199060259.00000000045A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524994 Sample: SOA AUG 2024 -  CMA CGM.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 11 other signatures 2->52 7 SOA AUG 2024 -  CMA CGM.exe 7 2->7         started        11 tshjuqE.exe 5 2->11         started        process3 file4 38 C:\Users\user\AppData\Roaming\tshjuqE.exe, PE32 7->38 dropped 40 C:\Users\user\...\tshjuqE.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmp561C.tmp, XML 7->42 dropped 44 C:\Users\...\SOA AUG 2024 -  CMA CGM.exe.log, ASCII 7->44 dropped 54 Adds a directory exclusion to Windows Defender 7->54 13 powershell.exe 23 7->13         started        16 schtasks.exe 1 7->16         started        18 vbc.exe 7->18         started        26 4 other processes 7->26 56 Antivirus detection for dropped file 11->56 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 20 schtasks.exe 1 11->20         started        22 vbc.exe 11->22         started        24 vbc.exe 11->24         started        28 3 other processes 11->28 signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 30 WmiPrvSE.exe 13->30         started        32 conhost.exe 13->32         started        34 conhost.exe 16->34         started        36 conhost.exe 20->36         started        process8
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.f6b-crxy.top/cu29/ true
    		unknown