Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pfYNBAkPIwsCPTS.exe

Overview

General Information

Sample name:pfYNBAkPIwsCPTS.exe
Analysis ID:1617036
MD5:644860259f75043724ac9cfcb41c6bcc
SHA1:7b6ebfbc887269e39137c47032fe6c4a51aeae4b
SHA256:9d9dd06960daac5cb979cc40a22fcbe4742a2694fef52b356b4f72c9dc0b779a
Tags:exeuser-adrian__luca
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
Joe Sandbox ML detected suspicious sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pfYNBAkPIwsCPTS.exe (PID: 1520 cmdline: "C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe" MD5: 644860259F75043724AC9CFCB41C6BCC)
    • pfYNBAkPIwsCPTS.exe (PID: 3648 cmdline: "C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe" MD5: 644860259F75043724AC9CFCB41C6BCC)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "blow@hightechqa.com", "Password": "EVwH.p#,c0q}", "Server": "mail.hightechqa.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xefdf:$a1: get_encryptedPassword
        • 0xf307:$a2: get_encryptedUsername
        • 0xed7a:$a3: get_timePasswordChanged
        • 0xee9b:$a4: get_passwordField
        • 0xeff5:$a5: set_encryptedPassword
        • 0x10951:$a7: get_logins
        • 0x10602:$a8: GetOutlookPasswords
        • 0x103f4:$a9: StartKeylogger
        • 0x108a1:$a10: KeyLoggerEventArgs
        • 0x10451:$a11: KeyLoggerEventArgsEventHandler
        00000003.00000002.3289319033.0000000003174000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xf1df:$a1: get_encryptedPassword
                • 0xf507:$a2: get_encryptedUsername
                • 0xef7a:$a3: get_timePasswordChanged
                • 0xf09b:$a4: get_passwordField
                • 0xf1f5:$a5: set_encryptedPassword
                • 0x10b51:$a7: get_logins
                • 0x10802:$a8: GetOutlookPasswords
                • 0x105f4:$a9: StartKeylogger
                • 0x10aa1:$a10: KeyLoggerEventArgs
                • 0x10651:$a11: KeyLoggerEventArgsEventHandler
                3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x1417d:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x1367b:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x13989:$a4: \Orbitum\User Data\Default\Login Data
                • 0x14781:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 13 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-17T13:08:45.609216+010028032742Potentially Bad Traffic192.168.2.549706132.226.8.16980TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "blow@hightechqa.com", "Password": "EVwH.p#,c0q}", "Server": "mail.hightechqa.com"}
                Multi AV Scanner detection for submitted file
                Source: pfYNBAkPIwsCPTS.exeReversingLabs: Detection: 56%
                Source: pfYNBAkPIwsCPTS.exeVirustotal: Detection: 52%Perma Link
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeUnpacked PE file: 0.2.pfYNBAkPIwsCPTS.exe.b30000.0.unpack
                Source: pfYNBAkPIwsCPTS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49707 version: TLS 1.0
                Source: pfYNBAkPIwsCPTS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 015E9731h3_2_015E9480
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 015E9E5Ah3_2_015E9A40
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 015E9E5Ah3_2_015E9A30
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 015E9E5Ah3_2_015E9D87
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B28830h3_2_05B28588
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B247C9h3_2_05B24520
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B276D0h3_2_05B27428
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B2F700h3_2_05B2F458
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B2E9F8h3_2_05B2E750
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B25929h3_2_05B25680
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B2E5A0h3_2_05B2E180
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B283D8h3_2_05B28130
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B2F2A8h3_2_05B2F000
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B254D1h3_2_05B25228
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B27278h3_2_05B27277
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B25079h3_2_05B24DD0
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B27F80h3_2_05B27CD8
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B24C21h3_2_05B24978
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B2FB58h3_2_05B2F8B0
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B27B28h3_2_05B27880
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B2EE50h3_2_05B2EBA8
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 4x nop then jmp 05B25E15h3_2_05B25AD8
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 132.226.8.169:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49707 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000309E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000309E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000308C000.00000004.00000800.00020000.00000000.sdmp, pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000309E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.0000000003021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000309E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: pfYNBAkPIwsCPTS.exe, 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmp, pfYNBAkPIwsCPTS.exe, 00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000309E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.00000000030BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.00000000030BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.0000000003021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: pfYNBAkPIwsCPTS.exe, 00000000.00000002.2052204554.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Database1DataSet.xsd
                Source: pfYNBAkPIwsCPTS.exe, 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmp, pfYNBAkPIwsCPTS.exe, 00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000309E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: pfYNBAkPIwsCPTS.exe, 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmp, pfYNBAkPIwsCPTS.exe, 00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000309E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000309E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000309E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.pfYNBAkPIwsCPTS.exe.488a828.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 1520, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 3648, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 0_2_013108690_2_01310869
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 0_2_013135F80_2_013135F8
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 0_2_01311B380_2_01311B38
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_015EC5303_2_015EC530
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_015E94803_2_015E9480
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_015E19B83_2_015E19B8
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_015EC5213_2_015EC521
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_015E2DD13_2_015E2DD1
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_015E946F3_2_015E946F
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B261383_2_05B26138
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2BC603_2_05B2BC60
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2AF003_2_05B2AF00
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B289E03_2_05B289E0
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B285883_2_05B28588
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B245203_2_05B24520
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2450F3_2_05B2450F
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B285793_2_05B28579
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B274283_2_05B27428
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B274183_2_05B27418
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2F4583_2_05B2F458
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2F4483_2_05B2F448
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2E7503_2_05B2E750
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2E7403_2_05B2E740
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B256803_2_05B25680
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2566F3_2_05B2566F
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2E1803_2_05B2E180
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B261333_2_05B26133
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B281303_2_05B28130
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B281203_2_05B28120
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2F0003_2_05B2F000
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B213A83_2_05B213A8
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B203303_2_05B20330
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B203203_2_05B20320
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B252283_2_05B25228
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2521A3_2_05B2521A
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B24DD03_2_05B24DD0
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B24DC03_2_05B24DC0
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B20CD83_2_05B20CD8
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B27CD83_2_05B27CD8
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B27CC83_2_05B27CC8
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2EFF03_2_05B2EFF0
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B26FD03_2_05B26FD0
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B26FC33_2_05B26FC3
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B289D03_2_05B289D0
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B249783_2_05B24978
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B249693_2_05B24969
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2F8B03_2_05B2F8B0
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2F8A13_2_05B2F8A1
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B278803_2_05B27880
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B278713_2_05B27871
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2EBA83_2_05B2EBA8
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B2EB983_2_05B2EB98
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B20AB83_2_05B20AB8
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B25AD83_2_05B25AD8
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeCode function: 3_2_05B25ACA3_2_05B25ACA
                Source: pfYNBAkPIwsCPTS.exe, 00000000.00000002.2052204554.0000000003211000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs pfYNBAkPIwsCPTS.exe
                Source: pfYNBAkPIwsCPTS.exe, 00000000.00000000.2040124067.0000000000B32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeibn.exe4 vs pfYNBAkPIwsCPTS.exe
                Source: pfYNBAkPIwsCPTS.exe, 00000000.00000002.2057154802.0000000007740000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs pfYNBAkPIwsCPTS.exe
                Source: pfYNBAkPIwsCPTS.exe, 00000000.00000002.2050901458.000000000132E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs pfYNBAkPIwsCPTS.exe
                Source: pfYNBAkPIwsCPTS.exe, 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs pfYNBAkPIwsCPTS.exe
                Source: pfYNBAkPIwsCPTS.exe, 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs pfYNBAkPIwsCPTS.exe
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3288174958.0000000001157000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs pfYNBAkPIwsCPTS.exe
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3288037387.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs pfYNBAkPIwsCPTS.exe
                Source: pfYNBAkPIwsCPTS.exeBinary or memory string: OriginalFilenameeibn.exe4 vs pfYNBAkPIwsCPTS.exe
                Source: pfYNBAkPIwsCPTS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.pfYNBAkPIwsCPTS.exe.488a828.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 1520, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 3648, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: pfYNBAkPIwsCPTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, AcmapKIUbKrvuF7Yhj.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, AcmapKIUbKrvuF7Yhj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, m6meXy3dNMr2cdGc5O.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, m6meXy3dNMr2cdGc5O.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, m6meXy3dNMr2cdGc5O.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, AcmapKIUbKrvuF7Yhj.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, AcmapKIUbKrvuF7Yhj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, AcmapKIUbKrvuF7Yhj.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, AcmapKIUbKrvuF7Yhj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, m6meXy3dNMr2cdGc5O.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, m6meXy3dNMr2cdGc5O.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, m6meXy3dNMr2cdGc5O.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, m6meXy3dNMr2cdGc5O.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, m6meXy3dNMr2cdGc5O.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, m6meXy3dNMr2cdGc5O.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pfYNBAkPIwsCPTS.exe.logJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMutant created: NULL
                Source: pfYNBAkPIwsCPTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: pfYNBAkPIwsCPTS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000313D000.00000004.00000800.00020000.00000000.sdmp, pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000310E000.00000004.00000800.00020000.00000000.sdmp, pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.000000000311C000.00000004.00000800.00020000.00000000.sdmp, pfYNBAkPIwsCPTS.exe, 00000003.00000002.3290340189.000000000404D000.00000004.00000800.00020000.00000000.sdmp, pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.00000000030FE000.00000004.00000800.00020000.00000000.sdmp, pfYNBAkPIwsCPTS.exe, 00000003.00000002.3289319033.0000000003130000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: pfYNBAkPIwsCPTS.exeReversingLabs: Detection: 56%
                Source: pfYNBAkPIwsCPTS.exeVirustotal: Detection: 52%
                Source: unknownProcess created: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe "C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe"
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess created: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe "C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe"
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess created: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe "C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe"Jump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: pfYNBAkPIwsCPTS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: pfYNBAkPIwsCPTS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeUnpacked PE file: 0.2.pfYNBAkPIwsCPTS.exe.b30000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeUnpacked PE file: 0.2.pfYNBAkPIwsCPTS.exe.b30000.0.unpack
                .NET source code contains potential unpacker
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, m6meXy3dNMr2cdGc5O.cs.Net Code: NInLkDbDdK System.Reflection.Assembly.Load(byte[])
                Source: 0.2.pfYNBAkPIwsCPTS.exe.486a808.3.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.pfYNBAkPIwsCPTS.exe.488a828.6.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, m6meXy3dNMr2cdGc5O.cs.Net Code: NInLkDbDdK System.Reflection.Assembly.Load(byte[])
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, m6meXy3dNMr2cdGc5O.cs.Net Code: NInLkDbDdK System.Reflection.Assembly.Load(byte[])
                Source: pfYNBAkPIwsCPTS.exeStatic PE information: section name: .text entropy: 7.463572640237684
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, DOVDxC40w7qtM1QNrD.csHigh entropy of concatenated method names: 'Wu2VmOnOL8', 'yHHVJBq03n', 'lE2VcRs50P', 'zNqVqNyW1H', 'oKaVxQ0cmT', 'r1HV0xDaeA', 'jElV907MuL', 'r6gVHST0yR', 'Bu9Vn9NVDq', 'ChfVGVCy1S'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, PrldAfseb0NH1BGFVk.csHigh entropy of concatenated method names: 'OvckQOdWW', 'Jks5dVb1q', 'UNfBw2IpZ', 'rkMuH33if', 'urnFFSQa2', 'OEjNDX8WT', 'ua6Fjl8t4gs3cSYcGy', 'ry1ivQasPWPfXCeBGu', 'mfayQ5i8C', 'b6dUMqKT6'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, QwZ3f3P9Zf9qbQp0QC.csHigh entropy of concatenated method names: 'NBJVp8k6Zi', 'DtHVTbS9ff', 'RC2VVLmSdj', 'jcVVv8KWSw', 'OgaVQrXYMm', 'poQV8kXj9u', 'Dispose', 'TMmyj95HPi', 'qbiyfrys9G', 'ggFylHksZA'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, RSR36c10sBGNp6disf.csHigh entropy of concatenated method names: 'bDVUlvBGoX', 'e5QUd1XXKb', 'rDIUaPloQ8', 'Oi2URWrLyv', 'DtbUVPIlTY', 'FyEU3yHFXN', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, jS0UcDJVh6rmgcft7e.csHigh entropy of concatenated method names: 'Dbl7ltCJJBbSRpHXTHd', 'YV0gWjC0sYjB0dRP1ki', 'Jxnaywm3vF', 'ieyaVK4qRD', 'uL8aUWACfa', 'swhilCCrBYn5dQlkrmy', 'LfOPdJCESPIhSir8CcC', 'hVvvCWCnpohVNX63N9S'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, s204SLhhU2HWvuYaHWy.csHigh entropy of concatenated method names: 'dXaU13hdEZ', 'IXuUzHLU9n', 'STrveaBhLJ', 'XMEvhkie9t', 'OgjvsMCJFI', 'X0YvZKYGBK', 'UYIvL7p9Us', 'eSrvC5A2dw', 'jpjvj3FDSg', 'pHtvfZBXSg'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, uI96sLn3Wln8bc5YhL.csHigh entropy of concatenated method names: 'KDrROBkDFY', 'mvVRYbGMhl', 'WmqRkFYZfH', 'SbhR5wLpP0', 'n3ERoatbQ9', 'r5VRBFmf2E', 'fXoRue6EXj', 'FmaRI0OMd0', 'JBeRF3pM3h', 'qP4RNrsia6'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, b9RaOoFDbmF11odbmx.csHigh entropy of concatenated method names: 'f2el5SRB2Z', 'BtylBnP18p', 'txDlIfxlQ8', 'UOKlFGXaNr', 'IislpwdIsH', 'VlZlr2UhYi', 'GBIlTrOJeL', 'K32ly3GEpm', 'z51lVHpkPZ', 'w4NlUuHtnI'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, AcmapKIUbKrvuF7Yhj.csHigh entropy of concatenated method names: 'NSafWUy6aE', 's6gfMHkVb8', 'kW5f7Psiys', 'VptftJVNmo', 'SZCfX6AyJV', 'AIffb3kmT9', 'w5AfP5bKA4', 'SunfisdWjB', 'oCwf44AsvV', 'n2Kf1HFbcK'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, P8mOWj6B8tJVQUh2Se.csHigh entropy of concatenated method names: 'AwjEIu1GgX', 'ulfEFwXfZU', 'rrsEm4BhBK', 'uWREJAsiN8', 'hSmEqI681U', 'yGtEx4NEXr', 'sWtE9shOpD', 'PNfEHic8dp', 'GRUEGBJVtU', 'zoZE26aMMN'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, b2iiGYbMSNgM0e5j0y.csHigh entropy of concatenated method names: 'dfHTibhdcT', 'aSyT1aN8Ti', 'XsByeGddNa', 'Mn3yh18iuF', 'mvNT2UsaF4', 'Ms4TKjOc9N', 'DrST6vqFS4', 'XCZTW71G7R', 'l6JTMoj9lb', 'gGxT7xviOI'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, lG8AgVhecyX47ae3DcA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qaxU2tDx3I', 'hAuUKKpDWK', 'J7iU6gbTYd', 'NOsUWg1P7k', 'HWhUMH1iaU', 'pEhU74gMDR', 'SSuUtmK7M5'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, JuUJQVhLGMn7A41Yphj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'y1hAVwbGvr', 'NIrAUSpowB', 'JTjAv6AKnS', 'RMoAA9IBnA', 'pPlAQ45cGo', 'F3MADwqgsW', 'sL8A8iuWle'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, nHesDPlqQxZWSYF3El.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Opds4mGcm3', 'lOOs1XHOmE', 'Xaiszl8PHl', 'pHgZewb4vb', 'tgsZhU1C7D', 'RvgZscBBDM', 'j0ZZZnBO5f', 'QrLC2iXBCCBv3nreR6T'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, xcIsPpWk6vq4D2WcMQ.csHigh entropy of concatenated method names: 'QnPpG9jdQP', 'pLnpKpmece', 'zVwpWmwabO', 'sZMpM2YksA', 'jBbpJ7SobB', 'urjpcJj8hL', 'FtLpq9lEDc', 'hdBpxjQ8HA', 'm1pp00N0Oa', 'HLQp9Ayw78'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, QhZpTKm7t8NUl798SF.csHigh entropy of concatenated method names: 'fataC7ufHJ', 'Jmlafomr6Y', 'wWAad1dEEs', 'GXeaRdTp2J', 'psia36FgQx', 'B0udXEkyIr', 'va2dbpNZoW', 'TgKdPZOxXI', 'OysdiO9Fjm', 'BMld4WR951'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, HPFxflzTPxZqLtGoKF.csHigh entropy of concatenated method names: 'fSxUBrMOvW', 'EyZUIVaOUg', 'SYWUFtAEQJ', 'spPUmnI29F', 'RnKUJm2yVm', 'lWJUqAgi7B', 'aLEUxUkaYp', 'MDsU8At5jO', 'X2lUOHApcK', 'B6yUYttESs'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, m6meXy3dNMr2cdGc5O.csHigh entropy of concatenated method names: 'IIuZCafsYl', 'tcpZjaPNG8', 'zMVZfwyLjU', 'TFVZlpZtNa', 'Q5cZdLrRMU', 'KVhZaQqmja', 'pReZRrFbsR', 'QAQZ3gmB7W', 'T2vZwoDtAN', 'DXQZS0B8ti'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, CrD5WqLIlyhT5x3EoJ.csHigh entropy of concatenated method names: 'mB5hRcmapK', 'sbKh3rvuF7', 'BDbhSmF11o', 'hbmhgxgCCT', 'miMhpXL6hZ', 'oTKhr7t8NU', 'hFnRYAMu7lBmCe6t4Q', 'pGiveryhKiCT5LHIRs', 'qWDhhKObtW', 'B78hZ0BP9Y'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.7740000.7.raw.unpack, zpVrXTfaSyfvITxv2Z.csHigh entropy of concatenated method names: 'Dispose', 'g9qh4bQp0Q', 'pOKsJTImg8', 'HbWAXQlCfw', 'eFfh1gWUIF', 'JKphzo1SHx', 'ProcessDialogKey', 'UVIseOVDxC', 'Kw7shqtM1Q', 'FrDssWSR36'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, DOVDxC40w7qtM1QNrD.csHigh entropy of concatenated method names: 'Wu2VmOnOL8', 'yHHVJBq03n', 'lE2VcRs50P', 'zNqVqNyW1H', 'oKaVxQ0cmT', 'r1HV0xDaeA', 'jElV907MuL', 'r6gVHST0yR', 'Bu9Vn9NVDq', 'ChfVGVCy1S'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, PrldAfseb0NH1BGFVk.csHigh entropy of concatenated method names: 'OvckQOdWW', 'Jks5dVb1q', 'UNfBw2IpZ', 'rkMuH33if', 'urnFFSQa2', 'OEjNDX8WT', 'ua6Fjl8t4gs3cSYcGy', 'ry1ivQasPWPfXCeBGu', 'mfayQ5i8C', 'b6dUMqKT6'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, QwZ3f3P9Zf9qbQp0QC.csHigh entropy of concatenated method names: 'NBJVp8k6Zi', 'DtHVTbS9ff', 'RC2VVLmSdj', 'jcVVv8KWSw', 'OgaVQrXYMm', 'poQV8kXj9u', 'Dispose', 'TMmyj95HPi', 'qbiyfrys9G', 'ggFylHksZA'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, RSR36c10sBGNp6disf.csHigh entropy of concatenated method names: 'bDVUlvBGoX', 'e5QUd1XXKb', 'rDIUaPloQ8', 'Oi2URWrLyv', 'DtbUVPIlTY', 'FyEU3yHFXN', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, jS0UcDJVh6rmgcft7e.csHigh entropy of concatenated method names: 'Dbl7ltCJJBbSRpHXTHd', 'YV0gWjC0sYjB0dRP1ki', 'Jxnaywm3vF', 'ieyaVK4qRD', 'uL8aUWACfa', 'swhilCCrBYn5dQlkrmy', 'LfOPdJCESPIhSir8CcC', 'hVvvCWCnpohVNX63N9S'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, s204SLhhU2HWvuYaHWy.csHigh entropy of concatenated method names: 'dXaU13hdEZ', 'IXuUzHLU9n', 'STrveaBhLJ', 'XMEvhkie9t', 'OgjvsMCJFI', 'X0YvZKYGBK', 'UYIvL7p9Us', 'eSrvC5A2dw', 'jpjvj3FDSg', 'pHtvfZBXSg'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, uI96sLn3Wln8bc5YhL.csHigh entropy of concatenated method names: 'KDrROBkDFY', 'mvVRYbGMhl', 'WmqRkFYZfH', 'SbhR5wLpP0', 'n3ERoatbQ9', 'r5VRBFmf2E', 'fXoRue6EXj', 'FmaRI0OMd0', 'JBeRF3pM3h', 'qP4RNrsia6'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, b9RaOoFDbmF11odbmx.csHigh entropy of concatenated method names: 'f2el5SRB2Z', 'BtylBnP18p', 'txDlIfxlQ8', 'UOKlFGXaNr', 'IislpwdIsH', 'VlZlr2UhYi', 'GBIlTrOJeL', 'K32ly3GEpm', 'z51lVHpkPZ', 'w4NlUuHtnI'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, AcmapKIUbKrvuF7Yhj.csHigh entropy of concatenated method names: 'NSafWUy6aE', 's6gfMHkVb8', 'kW5f7Psiys', 'VptftJVNmo', 'SZCfX6AyJV', 'AIffb3kmT9', 'w5AfP5bKA4', 'SunfisdWjB', 'oCwf44AsvV', 'n2Kf1HFbcK'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, P8mOWj6B8tJVQUh2Se.csHigh entropy of concatenated method names: 'AwjEIu1GgX', 'ulfEFwXfZU', 'rrsEm4BhBK', 'uWREJAsiN8', 'hSmEqI681U', 'yGtEx4NEXr', 'sWtE9shOpD', 'PNfEHic8dp', 'GRUEGBJVtU', 'zoZE26aMMN'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, b2iiGYbMSNgM0e5j0y.csHigh entropy of concatenated method names: 'dfHTibhdcT', 'aSyT1aN8Ti', 'XsByeGddNa', 'Mn3yh18iuF', 'mvNT2UsaF4', 'Ms4TKjOc9N', 'DrST6vqFS4', 'XCZTW71G7R', 'l6JTMoj9lb', 'gGxT7xviOI'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, lG8AgVhecyX47ae3DcA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qaxU2tDx3I', 'hAuUKKpDWK', 'J7iU6gbTYd', 'NOsUWg1P7k', 'HWhUMH1iaU', 'pEhU74gMDR', 'SSuUtmK7M5'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, JuUJQVhLGMn7A41Yphj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'y1hAVwbGvr', 'NIrAUSpowB', 'JTjAv6AKnS', 'RMoAA9IBnA', 'pPlAQ45cGo', 'F3MADwqgsW', 'sL8A8iuWle'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, nHesDPlqQxZWSYF3El.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Opds4mGcm3', 'lOOs1XHOmE', 'Xaiszl8PHl', 'pHgZewb4vb', 'tgsZhU1C7D', 'RvgZscBBDM', 'j0ZZZnBO5f', 'QrLC2iXBCCBv3nreR6T'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, xcIsPpWk6vq4D2WcMQ.csHigh entropy of concatenated method names: 'QnPpG9jdQP', 'pLnpKpmece', 'zVwpWmwabO', 'sZMpM2YksA', 'jBbpJ7SobB', 'urjpcJj8hL', 'FtLpq9lEDc', 'hdBpxjQ8HA', 'm1pp00N0Oa', 'HLQp9Ayw78'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, QhZpTKm7t8NUl798SF.csHigh entropy of concatenated method names: 'fataC7ufHJ', 'Jmlafomr6Y', 'wWAad1dEEs', 'GXeaRdTp2J', 'psia36FgQx', 'B0udXEkyIr', 'va2dbpNZoW', 'TgKdPZOxXI', 'OysdiO9Fjm', 'BMld4WR951'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, HPFxflzTPxZqLtGoKF.csHigh entropy of concatenated method names: 'fSxUBrMOvW', 'EyZUIVaOUg', 'SYWUFtAEQJ', 'spPUmnI29F', 'RnKUJm2yVm', 'lWJUqAgi7B', 'aLEUxUkaYp', 'MDsU8At5jO', 'X2lUOHApcK', 'B6yUYttESs'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, m6meXy3dNMr2cdGc5O.csHigh entropy of concatenated method names: 'IIuZCafsYl', 'tcpZjaPNG8', 'zMVZfwyLjU', 'TFVZlpZtNa', 'Q5cZdLrRMU', 'KVhZaQqmja', 'pReZRrFbsR', 'QAQZ3gmB7W', 'T2vZwoDtAN', 'DXQZS0B8ti'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, CrD5WqLIlyhT5x3EoJ.csHigh entropy of concatenated method names: 'mB5hRcmapK', 'sbKh3rvuF7', 'BDbhSmF11o', 'hbmhgxgCCT', 'miMhpXL6hZ', 'oTKhr7t8NU', 'hFnRYAMu7lBmCe6t4Q', 'pGiveryhKiCT5LHIRs', 'qWDhhKObtW', 'B78hZ0BP9Y'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, zpVrXTfaSyfvITxv2Z.csHigh entropy of concatenated method names: 'Dispose', 'g9qh4bQp0Q', 'pOKsJTImg8', 'HbWAXQlCfw', 'eFfh1gWUIF', 'JKphzo1SHx', 'ProcessDialogKey', 'UVIseOVDxC', 'Kw7shqtM1Q', 'FrDssWSR36'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, DOVDxC40w7qtM1QNrD.csHigh entropy of concatenated method names: 'Wu2VmOnOL8', 'yHHVJBq03n', 'lE2VcRs50P', 'zNqVqNyW1H', 'oKaVxQ0cmT', 'r1HV0xDaeA', 'jElV907MuL', 'r6gVHST0yR', 'Bu9Vn9NVDq', 'ChfVGVCy1S'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, PrldAfseb0NH1BGFVk.csHigh entropy of concatenated method names: 'OvckQOdWW', 'Jks5dVb1q', 'UNfBw2IpZ', 'rkMuH33if', 'urnFFSQa2', 'OEjNDX8WT', 'ua6Fjl8t4gs3cSYcGy', 'ry1ivQasPWPfXCeBGu', 'mfayQ5i8C', 'b6dUMqKT6'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, QwZ3f3P9Zf9qbQp0QC.csHigh entropy of concatenated method names: 'NBJVp8k6Zi', 'DtHVTbS9ff', 'RC2VVLmSdj', 'jcVVv8KWSw', 'OgaVQrXYMm', 'poQV8kXj9u', 'Dispose', 'TMmyj95HPi', 'qbiyfrys9G', 'ggFylHksZA'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, RSR36c10sBGNp6disf.csHigh entropy of concatenated method names: 'bDVUlvBGoX', 'e5QUd1XXKb', 'rDIUaPloQ8', 'Oi2URWrLyv', 'DtbUVPIlTY', 'FyEU3yHFXN', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, jS0UcDJVh6rmgcft7e.csHigh entropy of concatenated method names: 'Dbl7ltCJJBbSRpHXTHd', 'YV0gWjC0sYjB0dRP1ki', 'Jxnaywm3vF', 'ieyaVK4qRD', 'uL8aUWACfa', 'swhilCCrBYn5dQlkrmy', 'LfOPdJCESPIhSir8CcC', 'hVvvCWCnpohVNX63N9S'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, s204SLhhU2HWvuYaHWy.csHigh entropy of concatenated method names: 'dXaU13hdEZ', 'IXuUzHLU9n', 'STrveaBhLJ', 'XMEvhkie9t', 'OgjvsMCJFI', 'X0YvZKYGBK', 'UYIvL7p9Us', 'eSrvC5A2dw', 'jpjvj3FDSg', 'pHtvfZBXSg'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, uI96sLn3Wln8bc5YhL.csHigh entropy of concatenated method names: 'KDrROBkDFY', 'mvVRYbGMhl', 'WmqRkFYZfH', 'SbhR5wLpP0', 'n3ERoatbQ9', 'r5VRBFmf2E', 'fXoRue6EXj', 'FmaRI0OMd0', 'JBeRF3pM3h', 'qP4RNrsia6'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, b9RaOoFDbmF11odbmx.csHigh entropy of concatenated method names: 'f2el5SRB2Z', 'BtylBnP18p', 'txDlIfxlQ8', 'UOKlFGXaNr', 'IislpwdIsH', 'VlZlr2UhYi', 'GBIlTrOJeL', 'K32ly3GEpm', 'z51lVHpkPZ', 'w4NlUuHtnI'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, AcmapKIUbKrvuF7Yhj.csHigh entropy of concatenated method names: 'NSafWUy6aE', 's6gfMHkVb8', 'kW5f7Psiys', 'VptftJVNmo', 'SZCfX6AyJV', 'AIffb3kmT9', 'w5AfP5bKA4', 'SunfisdWjB', 'oCwf44AsvV', 'n2Kf1HFbcK'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, P8mOWj6B8tJVQUh2Se.csHigh entropy of concatenated method names: 'AwjEIu1GgX', 'ulfEFwXfZU', 'rrsEm4BhBK', 'uWREJAsiN8', 'hSmEqI681U', 'yGtEx4NEXr', 'sWtE9shOpD', 'PNfEHic8dp', 'GRUEGBJVtU', 'zoZE26aMMN'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, b2iiGYbMSNgM0e5j0y.csHigh entropy of concatenated method names: 'dfHTibhdcT', 'aSyT1aN8Ti', 'XsByeGddNa', 'Mn3yh18iuF', 'mvNT2UsaF4', 'Ms4TKjOc9N', 'DrST6vqFS4', 'XCZTW71G7R', 'l6JTMoj9lb', 'gGxT7xviOI'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, lG8AgVhecyX47ae3DcA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qaxU2tDx3I', 'hAuUKKpDWK', 'J7iU6gbTYd', 'NOsUWg1P7k', 'HWhUMH1iaU', 'pEhU74gMDR', 'SSuUtmK7M5'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, JuUJQVhLGMn7A41Yphj.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'y1hAVwbGvr', 'NIrAUSpowB', 'JTjAv6AKnS', 'RMoAA9IBnA', 'pPlAQ45cGo', 'F3MADwqgsW', 'sL8A8iuWle'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, nHesDPlqQxZWSYF3El.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Opds4mGcm3', 'lOOs1XHOmE', 'Xaiszl8PHl', 'pHgZewb4vb', 'tgsZhU1C7D', 'RvgZscBBDM', 'j0ZZZnBO5f', 'QrLC2iXBCCBv3nreR6T'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, xcIsPpWk6vq4D2WcMQ.csHigh entropy of concatenated method names: 'QnPpG9jdQP', 'pLnpKpmece', 'zVwpWmwabO', 'sZMpM2YksA', 'jBbpJ7SobB', 'urjpcJj8hL', 'FtLpq9lEDc', 'hdBpxjQ8HA', 'm1pp00N0Oa', 'HLQp9Ayw78'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, QhZpTKm7t8NUl798SF.csHigh entropy of concatenated method names: 'fataC7ufHJ', 'Jmlafomr6Y', 'wWAad1dEEs', 'GXeaRdTp2J', 'psia36FgQx', 'B0udXEkyIr', 'va2dbpNZoW', 'TgKdPZOxXI', 'OysdiO9Fjm', 'BMld4WR951'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, HPFxflzTPxZqLtGoKF.csHigh entropy of concatenated method names: 'fSxUBrMOvW', 'EyZUIVaOUg', 'SYWUFtAEQJ', 'spPUmnI29F', 'RnKUJm2yVm', 'lWJUqAgi7B', 'aLEUxUkaYp', 'MDsU8At5jO', 'X2lUOHApcK', 'B6yUYttESs'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, m6meXy3dNMr2cdGc5O.csHigh entropy of concatenated method names: 'IIuZCafsYl', 'tcpZjaPNG8', 'zMVZfwyLjU', 'TFVZlpZtNa', 'Q5cZdLrRMU', 'KVhZaQqmja', 'pReZRrFbsR', 'QAQZ3gmB7W', 'T2vZwoDtAN', 'DXQZS0B8ti'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, CrD5WqLIlyhT5x3EoJ.csHigh entropy of concatenated method names: 'mB5hRcmapK', 'sbKh3rvuF7', 'BDbhSmF11o', 'hbmhgxgCCT', 'miMhpXL6hZ', 'oTKhr7t8NU', 'hFnRYAMu7lBmCe6t4Q', 'pGiveryhKiCT5LHIRs', 'qWDhhKObtW', 'B78hZ0BP9Y'
                Source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, zpVrXTfaSyfvITxv2Z.csHigh entropy of concatenated method names: 'Dispose', 'g9qh4bQp0Q', 'pOKsJTImg8', 'HbWAXQlCfw', 'eFfh1gWUIF', 'JKphzo1SHx', 'ProcessDialogKey', 'UVIseOVDxC', 'Kw7shqtM1Q', 'FrDssWSR36'
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 1520, type: MEMORYSTR
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: 5540000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: 6540000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: 6670000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: 7670000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: 9FF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: AFF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: BFF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: C480000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: D5C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: E5C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: F5C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: 15E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: 5020000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe TID: 5036Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: pfYNBAkPIwsCPTS.exe, 00000003.00000002.3288284519.0000000001357000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeProcess created: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe "C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe"Jump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.488a828.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 1520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 3648, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.488a828.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 1520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 3648, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\pfYNBAkPIwsCPTS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.488a828.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3289319033.0000000003174000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 1520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 3648, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.488a828.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 1520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 3648, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 3.2.pfYNBAkPIwsCPTS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.4a7b598.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.488a828.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pfYNBAkPIwsCPTS.exe.4a20178.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3288037387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2053501273.000000000488A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 1520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pfYNBAkPIwsCPTS.exe PID: 3648, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Email Collection                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares1
                Data from Local System                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Obfuscated Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts32
                Software Packing                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.