Windows Analysis Report
pmfoxWgt1q

Overview

General Information

Sample Name:	pmfoxWgt1q (renamed file extension from none to dll)
Analysis ID:	677709
MD5:	6300568039c3d35aaa0fc0f59a6089df
SHA1:	bef385861ab3ad1bf5c1c76384ccf45a75c80ed5
SHA256:	55d87fda07c8550c926974930480cf4899fed628ef544164519984efa447014a
Infos:

Detection

Emotet

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

Multi AV Scanner detection for submitted file

Tries to load missing DLLs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Registers a DLL

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: pmfoxWgt1q.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: pmfoxWgt1q.dll	Metadefender: Detection: 34%			Perma Link
Source: pmfoxWgt1q.dll	ReversingLabs: Detection: 72%

Source: pmfoxWgt1q.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A78D1C FindFirstFileExW,		0_2_00007FFC73A78D1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A78D1C FindFirstFileExW,		2_2_00007FFC73A78D1C

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: pmfoxWgt1q.dll, type: SAMPLE
Source: Yara match	File source: 5.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.882940563.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.882553231.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.889058366.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881462250.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.882940823.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880853299.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Tries to load missing DLLs

Source: C:\Windows\System32\regsvr32.exe

Section loaded: sfc.dll

Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A77C5C	0_2_00007FFC73A77C5C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A6CBA9	0_2_00007FFC73A6CBA9
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A75BD4	0_2_00007FFC73A75BD4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A6C1FC	0_2_00007FFC73A6C1FC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A77198	0_2_00007FFC73A77198
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A7B9CC	0_2_00007FFC73A7B9CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A70124	0_2_00007FFC73A70124
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A7A728	0_2_00007FFC73A7A728
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A71DB0	0_2_00007FFC73A71DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A78D1C	0_2_00007FFC73A78D1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A6BD28	0_2_00007FFC73A6BD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A77C5C	2_2_00007FFC73A77C5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A6CBA9	2_2_00007FFC73A6CBA9
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A75BD4	2_2_00007FFC73A75BD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A6C1FC	2_2_00007FFC73A6C1FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A77198	2_2_00007FFC73A77198
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A7B9CC	2_2_00007FFC73A7B9CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A70124	2_2_00007FFC73A70124
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A7A728	2_2_00007FFC73A7A728
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A71DB0	2_2_00007FFC73A71DB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A78D1C	2_2_00007FFC73A78D1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A6BD28	2_2_00007FFC73A6BD28

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 00007FFC73A60620 appears 2834 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFC73A60620 appears 2834 times

Source: pmfoxWgt1q.dll	Metadefender: Detection: 34%
Source: pmfoxWgt1q.dll	ReversingLabs: Detection: 72%

Source: pmfoxWgt1q.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,YAeJyEAYL7F4eDck6YUaf
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,fmFkmnQYB5TC2Sq5NGFkK
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,YAeJyEAYL7F4eDck6YUaf	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pmfoxWgt1q.dll,fmFkmnQYB5TC2Sq5NGFkK	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1	Jump to behavior

Source: classification engine

Classification label: mal64.troj.winDLL@13/0@0/0

Source: pmfoxWgt1q.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pmfoxWgt1q.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pmfoxWgt1q.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: pmfoxWgt1q.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: pmfoxWgt1q.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pmfoxWgt1q.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pmfoxWgt1q.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pmfoxWgt1q.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pmfoxWgt1q.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A6DB15 push 830F0001h; retn 0000h		0_2_00007FFC73A6DB1A
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A6DB15 push 830F0001h; retn 0000h		2_2_00007FFC73A6DB1A

PE file contains sections with non-standard names

Source: pmfoxWgt1q.dll

Static PE information: section name: _RDATA

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\pmfoxWgt1q.dll

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A78D1C FindFirstFileExW,		0_2_00007FFC73A78D1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A78D1C FindFirstFileExW,		2_2_00007FFC73A78D1C

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FFC73A69F4C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC73A7A0AC GetProcessHeap,

0_2_00007FFC73A7A0AC

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A64140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FFC73A64140
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FFC73A69F4C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFC73A64500 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FFC73A64500
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A64140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFC73A64140
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A69F4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFC73A69F4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFC73A64500 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFC73A64500

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pmfoxWgt1q.dll",#1

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FFC73A7C424
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00007FFC73A733A0
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_00007FFC73A7C38C
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_00007FFC73A7C2BC
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FFC73A7C9A4
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_00007FFC73A73008
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00007FFC73A7C878
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FFC73A7C7C8
Source: C:\Windows\System32\loaddll64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FFC73A7BF70
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00007FFC73A7C670
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00007FFC73A7C424
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00007FFC73A733A0
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_00007FFC73A7C38C
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_00007FFC73A7C2BC
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00007FFC73A7C9A4
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_00007FFC73A73008
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00007FFC73A7C878
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00007FFC73A7C7C8
Source: C:\Windows\System32\regsvr32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_00007FFC73A7BF70
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00007FFC73A7C670

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC73A78300 cpuid

0_2_00007FFC73A78300

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFC73A64404 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FFC73A64404

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: pmfoxWgt1q.dll, type: SAMPLE
Source: Yara match	File source: 5.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffc739f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.882940563.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.882553231.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.889058366.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.881462250.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.882940823.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880853299.00007FFC739F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	677709
Product:	CloudBasic
Start time:	22:11:31
Start date:	02.08.2022
Sample:	pmfoxWgt1q
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6300568039c3d35aaa0fc0f59a6089df
SHA1:	bef385861ab3ad1bf5c1c76384ccf45a75c80ed5
SHA256:	55d87fda07c8550c926974930480cf4899fed628ef544164519984efa447014a
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Windows Analysis Report
pmfoxWgt1q

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report pmfoxWgt1q

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
pmfoxWgt1q