Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe

Overview

General Information

Sample Name:CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
Analysis ID:831701
MD5:8b00956371455a2cec3430013108263c
SHA1:7e4c0599f6c94762172431f522ced9873b2f01f6
SHA256:86e233cb75b893c9e4e0d26385155c4f575e4217f2d52cba592641c996bc9cc8
Tags:exe
Infos:

Detection

Vector Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected Vector Stealer
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Machine Learning detection for sample
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • cleanup
{"C2 url": "https://api.telegram.org/bot6060819824:AAG5pGuc1f_lNmdP8ekHh8QHPqsZRtRtPwo/sendMessage?chat_id=2078805713"}
SourceRuleDescriptionAuthorStrings
00000001.00000002.261105633.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000001.00000002.259729927.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VectorStealerYara detected Vector StealerJoe Security
            Click to see the 4 entries
            SourceRuleDescriptionAuthorStrings
            1.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.400000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                    0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                    • 0x298b1f:$s1: file:///
                    • 0x298a2f:$s2: {11111-22222-10009-11112}
                    • 0x298aaf:$s3: {11111-22222-50001-00000}
                    • 0xc9d23:$s4: get_Module
                    • 0x198343:$s4: get_Module
                    • 0x2980b2:$s4: get_Module
                    • 0x441683:$s4: get_Module
                    • 0xc5217:$s5: Reverse
                    • 0x193837:$s5: Reverse
                    • 0x29833d:$s5: Reverse
                    • 0x43cb77:$s5: Reverse
                    • 0xc9432:$s6: BlockCopy
                    • 0x197a52:$s6: BlockCopy
                    • 0x296558:$s6: BlockCopy
                    • 0x440d92:$s6: BlockCopy
                    • 0xc93e1:$s7: ReadByte
                    • 0x197a01:$s7: ReadByte
                    • 0x440d41:$s7: ReadByte
                    • 0x298b31:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                    Click to see the 3 entries
                    No Sigma rule has matched
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeReversingLabs: Detection: 59%
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeVirustotal: Detection: 71%Perma Link
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeJoe Sandbox ML: detected
                    Source: 1.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Vector Stealer {"C2 url": "https://api.telegram.org/bot6060819824:AAG5pGuc1f_lNmdP8ekHh8QHPqsZRtRtPwo/sendMessage?chat_id=2078805713"}
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_02E505E7
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_02FA7A82
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_02FA3BD8
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_02FA0040
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_02FA3BCA
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_02FA0006
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 4x nop then jmp 02FA127Bh1_2_02FA0F38
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 4x nop then jmp 02FA127Bh1_2_02FA0F28
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_02FAB4C0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_02FAB4B2
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_02FA44B1

                    Networking

                    barindex
                    Source: Malware configuration extractorURLs: https://api.telegram.org/bot6060819824:AAG5pGuc1f_lNmdP8ekHh8QHPqsZRtRtPwo/sendMessage?chat_id=2078805713
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v8/users/
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip6
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip6SOFTWARE
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vectorstealer.com
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000002.257821594.000000000138B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary

                    barindex
                    Source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: initial sampleStatic PE information: Filename: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 0_2_015BC01C0_2_015BC01C
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 0_2_015BEC780_2_015BEC78
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 0_2_015BEC680_2_015BEC68
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E513C01_2_02E513C0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E547F01_2_02E547F0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E50B381_2_02E50B38
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E53EE01_2_02E53EE0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E5CEB81_2_02E5CEB8
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E513B01_2_02E513B0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E5B6F01_2_02E5B6F0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E50B281_2_02E50B28
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E53EF01_2_02E53EF0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E5DED81_2_02E5DED8
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E5AFE01_2_02E5AFE0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E5AFD01_2_02E5AFD0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FA92281_2_02FA9228
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FA14301_2_02FA1430
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FA55301_2_02FA5530
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FA92181_2_02FA9218
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FAB0F01_2_02FAB0F0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FAB0E01_2_02FAB0E0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FA89B81_2_02FA89B8
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FA89B61_2_02FA89B6
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FA21781_2_02FA2178
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FA21671_2_02FA2167
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FA14211_2_02FA1421
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FA8DF01_2_02FA8DF0
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02FA25C01_2_02FA25C0
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000000.250467987.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUZv.exe6 vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000002.257821594.000000000138B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000002.258712247.0000000002F81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000002.258712247.0000000002F81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe* vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000000.00000002.270395762.00000000063B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeBinary or memory string: OriginalFilenameUZv.exe6 vs CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeReversingLabs: Detection: 59%
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeVirustotal: Detection: 71%
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeFile read: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe:Zone.IdentifierJump to behavior
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess created: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess created: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/0
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic file information: File size 1729024 > 1048576
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1a5800
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                    Data Obfuscation

                    barindex
                    Source: Yara matchFile source: 1.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.261105633.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.259729927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.261250417.0000000004621000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe PID: 2636, type: MEMORYSTR
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, LogicGames/Menus/MainMenu.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.0.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.af0000.0.unpack, LogicGames/Menus/MainMenu.cs.Net Code: InitializeComponent System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E577FD pushad ; ret 1_2_02E57801
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeCode function: 1_2_02E5780B pushfd ; ret 1_2_02E57811
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeStatic PE information: 0xC4266EA6 [Fri Apr 13 13:50:30 2074 UTC]
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.772614775846585
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME"SELECT * FROM WIN32_COMPUTERSYSTEM
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe TID: 2620Thread sleep time: -40023s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe TID: 2228Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe TID: 4704Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeThread delayed: delay time: 40023Jump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vboxservice
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qemu-ga
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qemu-ga!SELECT * FROM Win32_PortConnector!Win32_NetworkAdapterConfiguration
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Program Files\VMware2C:\Program Files\oracle\virtualbox guest additions
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmusrvc
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\Program Files\VMware
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxMouse.sys
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxGuest.sys
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxSF.sys
                    Source: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe, 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmmouse.sys
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeProcess created: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeQueries volume information: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeQueries volume information: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.46fd2a0.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe.4621e80.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe PID: 2636, type: MEMORYSTR
                    Source: Yara matchFile source: 00000001.00000002.261105633.000000000306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: CTM_ARRANGEMENT_BREAKDOWN_DENOMINATION_-_MV_NEPTUNE_pdf.exe PID: 2636, type: MEMORYSTR

                    Remote Access Functionality

                    bar