Windows Analysis Report
20240328-REV2.exe

Overview

General Information

Sample name: 20240328-REV2.exe
Analysis ID: 1432024
MD5: ed1e2fd68e9de44ea4e01c7897f64411
SHA1: a42eb4e6084ac91d1fad3ef9fe01d8d3e9db0c26
SHA256: 37109eb42fff729d1786ca4b676167f7acaa918a4abaf3bb465cfed6efa2b134
Tags: exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://mail.mbarieservicesltd.com Avira URL Cloud: Label: malware
Found malware configuration
Source: WmiPrvSE.exe.3772.10.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}
Multi AV Scanner detection for domain / URL
Source: mail.mbarieservicesltd.com Virustotal: Detection: 5% Perma Link
Source: http://mail.mbarieservicesltd.com Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for submitted file
Source: 20240328-REV2.exe ReversingLabs: Detection: 44%
Source: 20240328-REV2.exe Virustotal: Detection: 44% Perma Link
Machine Learning detection for sample
Source: 20240328-REV2.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 20240328-REV2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 20240328-REV2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Data.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Xml.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: Accessibility.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Drawing.pdb\ source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.pdbSystem.Data.ni.dll< source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: XZW.pdb source: 20240328-REV2.exe, WER5DE2.tmp.dmp.8.dr
Source: Binary string: mscorlib.pdbx source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.pdbSystem.Data.dll4 source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: XZW.pdbSHA256o source: 20240328-REV2.exe
Source: Binary string: System.Configuration.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Data.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Configuration.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Xml.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Windows.Forms.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: mscorlib.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Drawing.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Data.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Core.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Data.pdb, source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.8:49711 -> 199.79.62.115:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.8:49711 -> 199.79.62.115:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.8:49711 -> 199.79.62.115:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.8:49711 -> 199.79.62.115:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.8:49711 -> 199.79.62.115:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.8:49711 -> 199.79.62.115:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49711 -> 199.79.62.115:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.79.62.115 199.79.62.115
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.8:49711 -> 199.79.62.115:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: mail.mbarieservicesltd.com
Source: 20240328-REV2.exe, 00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.mbarieservicesltd.com
Source: 20240328-REV2.exe, 00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mbarieservicesltd.com
Source: 20240328-REV2.exe, 00000001.00000002.1581428931.000000000280D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Detected potential crypto function
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_04D31808 1_2_04D31808
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_04D317F8 1_2_04D317F8
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_0534C550 1_2_0534C550
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_0534E6F0 1_2_0534E6F0
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EA7A20 1_2_06EA7A20
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EA9BC0 1_2_06EA9BC0
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EACC18 1_2_06EACC18
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EAC900 1_2_06EAC900
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EA8D10 1_2_06EA8D10
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EABED0 1_2_06EABED0
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EA82A8 1_2_06EA82A8
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EAAA60 1_2_06EAAA60
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EA8770 1_2_06EA8770
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EA6F10 1_2_06EA6F10
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EAD8A8 1_2_06EAD8A8
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EABC88 1_2_06EABC88
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EA0040 1_2_06EA0040
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EA0032 1_2_06EA0032
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EAF148 1_2_06EAF148
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EAB918 1_2_06EAB918
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_070B7748 1_2_070B7748
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_070B3618 1_2_070B3618
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_070B56C0 1_2_070B56C0
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_070B2DA8 1_2_070B2DA8
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_070B4CC0 1_2_070B4CC0
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_070BA138 1_2_070BA138
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_070B31E0 1_2_070B31E0
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_089539C0 1_2_089539C0
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_08956CD8 1_2_08956CD8
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_08959CC8 1_2_08959CC8
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_0895A688 1_2_0895A688
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_08959CB8 1_2_08959CB8
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_08957280 1_2_08957280
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_08957271 1_2_08957271
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_0895C388 1_2_0895C388
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_0895A3F0 1_2_0895A3F0
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_0895A3E0 1_2_0895A3E0
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_0895C378 1_2_0895C378
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_0895A67A 1_2_0895A67A
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 5_2_00ED4140 5_2_00ED4140
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 5_2_00ED4D58 5_2_00ED4D58
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 5_2_00ED4488 5_2_00ED4488
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 5_2_0615A6C0 5_2_0615A6C0
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 5_2_0615EFB8 5_2_0615EFB8
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 5_2_0615DFEB 5_2_0615DFEB
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 5_2_06157D20 5_2_06157D20
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 5_2_06158D98 5_2_06158D98
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 5_2_06155210 5_2_06155210
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 5_2_061584CB 5_2_061584CB
One or more processes crash
Source: C:\Users\user\Desktop\20240328-REV2.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 1796
Sample file is different than original file name gathered from version info
Source: 20240328-REV2.exe, 00000001.00000000.1493632755.00000000003AE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameXZW.exe& vs 20240328-REV2.exe
Source: 20240328-REV2.exe, 00000001.00000002.1581428931.000000000280D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs 20240328-REV2.exe
Source: 20240328-REV2.exe, 00000001.00000002.1580368727.000000000086E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 20240328-REV2.exe
Source: 20240328-REV2.exe, 00000001.00000002.1586570461.0000000007622000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 20240328-REV2.exe
Source: 20240328-REV2.exe, 00000001.00000002.1587945175.000000000B0E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs 20240328-REV2.exe
Source: 20240328-REV2.exe, 00000001.00000002.1582368712.0000000004187000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs 20240328-REV2.exe
Source: 20240328-REV2.exe, 00000001.00000002.1582368712.0000000004187000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs 20240328-REV2.exe
Source: 20240328-REV2.exe, 00000005.00000002.2743308776.000000000042C000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs 20240328-REV2.exe
Source: 20240328-REV2.exe, 00000005.00000002.2743688093.00000000008F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 20240328-REV2.exe
Source: 20240328-REV2.exe Binary or memory string: OriginalFilenameXZW.exe& vs 20240328-REV2.exe
Uses 32bit PE files
Source: 20240328-REV2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 20240328-REV2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, V4uC3Iifq56IKQcfry.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, V4uC3Iifq56IKQcfry.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, O.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, O.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, P.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, P.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, DqO3BeEpxTFOeAX25D.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, suKFporoyXFpyYjnCY.cs Security API names: _0020.SetAccessControl
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, suKFporoyXFpyYjnCY.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, suKFporoyXFpyYjnCY.cs Security API names: _0020.AddAccessRule
Source: 1.2.20240328-REV2.exe.27f6814.5.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 1.2.20240328-REV2.exe.2a18018.1.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 1.2.20240328-REV2.exe.27e6474.3.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 1.2.20240328-REV2.exe.6d80000.11.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/11@1/1
Source: C:\Users\user\Desktop\20240328-REV2.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20240328-REV2.exe.log Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6840
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tckzrrwj.5ng.ps1 Jump to behavior
Source: 20240328-REV2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 20240328-REV2.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\20240328-REV2.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\20240328-REV2.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\20240328-REV2.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 20240328-REV2.exe ReversingLabs: Detection: 44%
Source: 20240328-REV2.exe Virustotal: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\20240328-REV2.exe "C:\Users\user\Desktop\20240328-REV2.exe"
Source: C:\Users\user\Desktop\20240328-REV2.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\20240328-REV2.exe Process created: C:\Users\user\Desktop\20240328-REV2.exe "C:\Users\user\Desktop\20240328-REV2.exe"
Source: C:\Users\user\Desktop\20240328-REV2.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 1796
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\20240328-REV2.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe" Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process created: C:\Users\user\Desktop\20240328-REV2.exe "C:\Users\user\Desktop\20240328-REV2.exe" Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\20240328-REV2.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 20240328-REV2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 20240328-REV2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 20240328-REV2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Data.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Xml.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: Accessibility.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Drawing.pdb\ source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.pdbSystem.Data.ni.dll< source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: XZW.pdb source: 20240328-REV2.exe, WER5DE2.tmp.dmp.8.dr
Source: Binary string: mscorlib.pdbx source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.pdbSystem.Data.dll4 source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: XZW.pdbSHA256o source: 20240328-REV2.exe
Source: Binary string: System.Configuration.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Data.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Configuration.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Xml.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Windows.Forms.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: mscorlib.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Drawing.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Data.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Core.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.ni.pdb source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Data.pdb, source: WER5DE2.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER5DE2.tmp.dmp.8.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, V4uC3Iifq56IKQcfry.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.20240328-REV2.exe.6d50000.10.raw.unpack, V4uC3Iifq56IKQcfry.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, suKFporoyXFpyYjnCY.cs .Net Code: PRsgCpb7f4 System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: 20240328-REV2.exe Static PE information: 0x81577B65 [Wed Oct 6 16:08:05 2038 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_05347E88 pushad ; iretd 1_2_05347E91
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_06EA3E3A push ds; ret 1_2_06EA3E3B
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_070B7E8A push esp; ret 1_2_070B7E91
Source: C:\Users\user\Desktop\20240328-REV2.exe Code function: 1_2_08951CC0 push 00000059h; ret 1_2_08951CF8
Source: 20240328-REV2.exe Static PE information: section name: .text entropy: 7.946644747446866
Source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, V4uC3Iifq56IKQcfry.cs High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, vpednoN8EZgsJ4TDwx.cs High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, MM0nqSL2pcP1fo9nGr.cs High entropy of concatenated method names: 'BRqq8Nr7FX', 'M44qo7oWQY', 'y5ldT8nfBy', 'DvMdSxQh4k', 'OLCqfLuBSA', 'cmhq16tpVP', 'SCZqkDDN1X', 'zPWq2w2ZYe', 'SQSqaFD0qB', 'K0YqKpsekJ'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, sCWHAZsS0UutPc9r2g.cs High entropy of concatenated method names: 'etTqDWEbej', 'aVTq9ZmSyZ', 'ToString', 'ygUqIqK4Vy', 'F03qW68PfY', 'NZXqpU96Xm', 'OmOqAbtClF', 'DoCqOi3l8d', 'i32qeSWy7n', 'C5PqVtpR8w'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, c3RrIbi4S2dSDSPr32.cs High entropy of concatenated method names: 'MIaALo02Ps', 'XPQAuvKU1o', 'BdKpZnNe28', 'oZdpH33057', 'KcZpEo1nSs', 'GnHp3lMg8f', 'H5UpJBQsaA', 'iHZpMK7nrt', 'CfkpjF5Pvw', 'f9xptrqGQx'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, RnjcWbdlYQfuZx2SOm.cs High entropy of concatenated method names: 'NV3ONU9Il7', 'qryOmBsdxi', 'Gy9OC70crg', 'iM7OQBdRMC', 'dG9O6bNAK1', 'IAxOuoEXjH', 'gsPOYi4RYW', 'XMqOnsSXcx', 'riLhLPhLs0YYPUZxElo', 'mpS2gHhw8sDS95jecb8'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, CbbCU2jcbmE3ilttJVQ.cs High entropy of concatenated method names: 'XPCUmg7GMl', 'gLyUyyMIFB', 'kcJUCGjdYv', 'o45UQkBb31', 'PnFULR3T06', 'beRU63YCPm', 'L6sUuOUohj', 'YAVUssRSgx', 'NCPUYTpfA0', 'Xb3Unj10U5'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, YCfeJ21MxuvufFcUrh.cs High entropy of concatenated method names: 'HOWUSlVCuQ', 'GjmUbCZasf', 'QHcUg24F00', 'KBVUIY5jxf', 'CVwUWnQXjr', 'J1YUANPXeh', 'nDWUOLNUVd', 'OHvdFFywmg', 'cDdd8I8DRv', 'ivUdiHpvQN'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, qhMJ8TxmfrQleFASsy.cs High entropy of concatenated method names: 'q0CdvORm10', 'jhhdcIwrtE', 'gjWdZ7GPCu', 'VfadH6X2jF', 'dAHd2VXMFO', 'z0pdErBfv4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, DqO3BeEpxTFOeAX25D.cs High entropy of concatenated method names: 'lEyW2fbXef', 'bRKWaWfYPc', 'RFeWKROrFu', 'kxnWhsPguS', 'Y8mWRZND18', 'BNZW4sMAW4', 'GpIWFmdBSF', 'APnW86wk1l', 'BwJWiMU5tt', 'S5WWoTsWkw'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, iFn0ALuCn6UUl6nxCD.cs High entropy of concatenated method names: 'A3lChOBUq', 'evcQKIesi', 'lPd65EsHy', 'sJ9uBV5BS', 'GDvYs6IuH', 'rK0n98r0O', 'IMqjw9yXAiFrBN8hFp', 'RX9j3aOMNkcrx0ELrg', 'EXLdicfCU', 'vZk01eDu0'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, D0L1d8NNnMWQU8RYtI.cs High entropy of concatenated method names: 'hG2emnaPKs', 'tsbeyrtCq5', 'tN5eCSYfOi', 'VTkeQ3XPQI', 'k2yeLlHI3w', 'bWXe6Bkrqv', 'mVOeuA6pS9', 'gv2esAK9Tf', 'AaDeYEAy2E', 'koVenbvZZu'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, wl90ELqXIUV7JJ3xw4.cs High entropy of concatenated method names: 'Ve2Se8Zu8a', 'B6YSVoaH9X', 'SraSD3yLD1', 'md7S9jIaoy', 'ytVSPBqfWp', 'HB8SBFmXT2', 'XyN6KE66Jr7neSqXtD', 'wvg9D0jKRgulQQD6bd', 'ENMSSTyKMm', 'NNJSbhFl4X'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, ooGS1Jb8LYOjRI2Nyn.cs High entropy of concatenated method names: 'Dispose', 'uXESifRvjL', 'fCZGcJMV0w', 'GrOxxgtYnk', 'cR7SonmTru', 'NpdSz49EfY', 'ProcessDialogKey', 'NxNGT255iU', 'nJ1GSoiYGK', 'KbsGGpI7wN'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, Oss1lVFw9xKlL9Fawd.cs High entropy of concatenated method names: 'dlPdIwagE6', 'iEwdWvK0n8', 'OjhdpVSrVN', 'OoLdAB7lbv', 'adAdOSZmLe', 'gKMdeZCOyp', 'jxJdVOWBto', 'tI8d7YpN2o', 'kIqdDRmfAG', 'xNnd9GJkHG'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, zpbjE8aHbUn0YcN3Lo.cs High entropy of concatenated method names: 'mGxpQuHixV', 'GQLp6b5hBd', 'p0ipsYAL9G', 'OPvpY246VF', 'TyUpPUGMGR', 'ATIpBh0G62', 'f5MpqALqBL', 'Hkbpdu3aHq', 'DJipUWvVR2', 'rC6p0iGycM'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, wYSy8YM5lVQ1qCEVOD.cs High entropy of concatenated method names: 'vsAOwHDiaC', 'TKSOWgGvUO', 'Y39OABLnFl', 'ATZOeV25Uc', 'gGkOVTokAH', 'KgpARjRr47', 'PNcA4PN03g', 'e5KAFI95lA', 'oycA8td9ZL', 'rJZAiwAvxP'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, K5uqj8D3Il5pOp6XVP.cs High entropy of concatenated method names: 'ToString', 'WRhBfx1riw', 'FOoBc1Frlx', 'pe8BZd8hDp', 'XfGBHISJeQ', 'RdrBEibin6', 'YMXB3RW0gx', 'EysBJhUVWa', 'FZsBMO1D20', 'UAmBjHWybS'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, P37vu0CgjevrJVGJRa.cs High entropy of concatenated method names: 'mFDeIh7gTT', 'AAUepvyqja', 'F5FeOXKrOM', 'lhCOocA2pQ', 'cM0OzAh70f', 'ze5eTaKF6D', 'tGheSe1WkE', 'XRPeGDOrvT', 'Auseb0TkKT', 'dvJegCO0c3'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, GxmFgWhgVkoXLP6vb2.cs High entropy of concatenated method names: 'LB7PtER1wW', 'S9dP1xwLNa', 'DlUP2NXFfD', 'Q4IPaU7rkv', 'wkBPc8RjWH', 'QQwPZjw1Jf', 'm5wPH8x7Br', 'f8JPEhdFJY', 'sx9P3ibuoK', 'mYWPJ0yXSX'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, tFEshmjWrsGOPEfxccc.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LYK023aC5B', 'zOd0afH5t5', 's6G0KoeE7y', 'BvS0hiDCX8', 'TEr0Rgn2tM', 'r3U04m6pk7', 'K6C0FIl0H3'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, z27VGsnctYfwDT4cOl.cs High entropy of concatenated method names: 'h7uXsqw47h', 'jZNXY53rol', 'YXFXvan21q', 'iFgXc2aV6j', 'uCoXHKNWVJ', 'OEnXEyeA01', 'RT5XJqC0Qi', 'urJXMX7DbY', 'c6bXtHcnPV', 'EWVXfnxmpo'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, suKFporoyXFpyYjnCY.cs High entropy of concatenated method names: 'kEDbwLlyxu', 'JhWbI2oSAu', 'yjRbWtwXJ1', 'r6NbpKg0xy', 'uR8bACsltZ', 'BesbO8jEpR', 'GPnbeUcUNb', 't6ibV8rkUx', 'Vrgb7jb01H', 'gDNbDMcFed'
Source: 1.2.20240328-REV2.exe.b0e0000.12.raw.unpack, rHSVVXzwWXSDqXqYTy.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FBHUXYQop1', 'bLKUPAZrP1', 'YIxUBRR0rh', 'LmQUq8AUj8', 'xMyUdthDi7', 'rWDUUIrJEV', 'XDXU0PW7i8'
Source: 1.2.20240328-REV2.exe.6d50000.10.raw.unpack, V4uC3Iifq56IKQcfry.cs High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 1.2.20240328-REV2.exe.6d50000.10.raw.unpack, vpednoN8EZgsJ4TDwx.cs High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 20240328-REV2.exe PID: 6840, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\20240328-REV2.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: CE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: 2790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: 2610000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: 89D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: 99D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: 9BE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: ABE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: B150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: C150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: E90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: 2940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: 27E0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7156 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2275 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Window / User API: threadDelayed 2036 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Window / User API: threadDelayed 2726 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3672 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5040 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6816 Thread sleep count: 2036 > 30 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -99770s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -99640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -99515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6816 Thread sleep count: 2726 > 30 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -99358s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -99249s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -99140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -99029s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -98904s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -98781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -98672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -98562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -98343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -98234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -98125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -97977s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -97859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -97750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -97640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe TID: 6072 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\20240328-REV2.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\20240328-REV2.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\20240328-REV2.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 99890 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 99770 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 99640 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 99515 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 99358 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 99249 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 99140 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 99029 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 98904 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 98781 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 98672 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 98562 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 98343 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 98125 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 97977 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 97859 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 97750 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 97640 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: 20240328-REV2.exe, 00000005.00000002.2743758681.000000000099A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllstringPNPDeviceID
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: 20240328-REV2.exe, 00000005.00000002.2751147441.0000000005D20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWJ
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\20240328-REV2.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\20240328-REV2.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe"
Source: C:\Users\user\Desktop\20240328-REV2.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\20240328-REV2.exe Memory written: C:\Users\user\Desktop\20240328-REV2.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\20240328-REV2.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\20240328-REV2.exe" Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Process created: C:\Users\user\Desktop\20240328-REV2.exe "C:\Users\user\Desktop\20240328-REV2.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Users\user\Desktop\20240328-REV2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Users\user\Desktop\20240328-REV2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 1.2.20240328-REV2.exe.436e7a0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.4345780.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.20240328-REV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.436e7a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2743308776.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1582368712.0000000004187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2747010558.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 20240328-REV2.exe PID: 4788, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 1.2.20240328-REV2.exe.6d50000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.6d50000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.3799970.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1585065911.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1582368712.0000000003799000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\20240328-REV2.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\20240328-REV2.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\20240328-REV2.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\20240328-REV2.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\20240328-REV2.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.2747010558.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 20240328-REV2.exe PID: 4788, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 1.2.20240328-REV2.exe.436e7a0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.4345780.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.20240328-REV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.436e7a0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.4345780.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2743308776.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1582368712.0000000004187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000005.00000002.2747010558.000000000299A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2747010558.0000000002941000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 20240328-REV2.exe PID: 4788, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 1.2.20240328-REV2.exe.6d50000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.6d50000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.3799970.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.20240328-REV2.exe.3799970.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1585065911.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1582368712.0000000003799000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432024 Sample: 20240328-REV2.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 23 mbarieservicesltd.com 2->23 25 mail.mbarieservicesltd.com 2->25 29 Snort IDS alert for network traffic 2->29 31 Multi AV Scanner detection for domain / URL 2->31 33 Found malware configuration 2->33 35 9 other signatures 2->35 8 20240328-REV2.exe 4 2->8         started        signatures3 process4 signatures5 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->37 39 Adds a directory exclusion to Windows Defender 8->39 41 Injects a PE file into a foreign processes 8->41 11 20240328-REV2.exe 2 8->11         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 19 16 8->17         started        process6 dnsIp7 27 mbarieservicesltd.com 199.79.62.115, 49711, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->27 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 51 Loading BitLocker PowerShell Module 15->51 19 conhost.exe 15->19         started        21 WmiPrvSE.exe 15->21         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.79.62.115
 mbarieservicesltd.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS true

Contacted Domains

Name IP Active
mbarieservicesltd.com 199.79.62.115 true
mail.mbarieservicesltd.com unknown unknown