Windows Analysis Report
PO_287104.exe

Overview

General Information

Sample name: PO_287104.exe
Analysis ID: 1435150
MD5: d20ba9548abd76ba228729949f845e59
SHA1: 55d97abeb438e0c4aec352523f10ec3c9d773a8c
SHA256: 1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990
Tags: exe
Infos:

Detection

PureLog Stealer, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Snake Keylogger
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://scratchdreams.tk Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@eraslangroup.net", "Password": "aHZAyjDK", "Host": "mail.eraslangroup.net", "Port": "587"}
Multi AV Scanner detection for domain / URL
Source: https://scratchdreams.tk Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for submitted file
Source: PO_287104.exe ReversingLabs: Detection: 65%
Source: PO_287104.exe Virustotal: Detection: 64% Perma Link
Machine Learning detection for sample
Source: PO_287104.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PO_287104.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49730 version: TLS 1.0
Source: unknown HTTPS traffic detected: 23.41.168.93:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.41.168.93:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.146:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.146:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.146:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: PO_287104.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: BQdJ.pdb source: PO_287104.exe
Source: Binary string: \??\C:\Windows\mscorlib.pdb$y'- source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: System.ni.pdbRSDS source: WER1D13.tmp.dmp.8.dr
Source: Binary string: BQdJ.pdbs\BQdJ.pdbpdbQdJ.pdb source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdbd source: WER1D13.tmp.dmp.8.dr
Source: Binary string: \??\C:\Users\user\Desktop\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2257449414.00000000011BB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER1D13.tmp.dmp.8.dr
Source: Binary string: symbols\exe\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: indows\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2257449414.00000000011C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\exe\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o.pdb source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1D13.tmp.dmp.8.dr
Source: Binary string: oC:\Users\user\Desktop\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: System.Windows.Forms.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.pdbMZ source: WER1D13.tmp.dmp.8.dr
Source: Binary string: BQdJ.pdbon source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n(C:\Windows\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BQdJ.pdbSHA256 source: PO_287104.exe
Source: Binary string: mscorlib.ni.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: C:\Windows\BQdJ.pdbpdbQdJ.pdbI source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: nDC:\Users\user\Desktop\BQdJ.pdb " source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\PO_287104.PDB source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2257449414.00000000011C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1D13.tmp.dmp.8.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbq source: PO_287104.exe, 00000003.00000002.2257449414.00000000011BB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER1D13.tmp.dmp.8.dr

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.392f000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, type: UNPACKEDPE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 193.122.130.0 193.122.130.0
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49730 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.41.168.93
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.24.146
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMrazLEGIjAtDLKtaW7imy5MSBR16Nr2fdKnHvcFaleWOY1c1TY4DlJgIX8p-mGA1aAPz9kdujYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCI/KzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-06; NID=513=nEeGppaCYZTryw90tWMrWPtnWecP-CEyKGsnTSpmbkAbRt7HapZOkmLuN6UDzUbejN4o-GTDydubkF1SHUALK5pYgcsaYQRNwHP1RZw24wKNUfEvGv9zG0zsRBSJaL_f7VVumNW8jbVjIwO8vSYRBIE3mtSNCm-eZFzLDSFqk-Q
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMrazLEGIjBZUN1Vqkwi12TG-vYHko3v5bGLhfMhQg1bQ3rJ4hZy5IkSprSYJZZ7YfDKBTYYOVsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-06; NID=513=nEeGppaCYZTryw90tWMrWPtnWecP-CEyKGsnTSpmbkAbRt7HapZOkmLuN6UDzUbejN4o-GTDydubkF1SHUALK5pYgcsaYQRNwHP1RZw24wKNUfEvGv9zG0zsRBSJaL_f7VVumNW8jbVjIwO8vSYRBIE3mtSNCm-eZFzLDSFqk-Q
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=g5CmHFkGbVU6UBo&MD=M5dXUgl7 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=g5CmHFkGbVU6UBo&MD=M5dXUgl7 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: PO_287104.exe, 00000003.00000002.2258181330.0000000002E77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: PO_287104.exe, 00000003.00000002.2258181330.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, PO_287104.exe, 00000003.00000002.2258181330.0000000002E63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: PO_287104.exe, 00000003.00000002.2258181330.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: PO_287104.exe, 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp, PO_287104.exe, 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: PO_287104.exe, 00000003.00000002.2258181330.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Source: PO_287104.exe, 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp, PO_287104.exe, 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: PO_287104.exe, 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp, PO_287104.exe, 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PO_287104.exe, 00000003.00000002.2258181330.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 23.41.168.93:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.41.168.93:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.146:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.146:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.146:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49739 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PO_287104.exe.392f000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO_287104.exe.392f000.8.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PO_287104.exe.392f000.8.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO_287104.exe.392f000.8.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PO_287104.exe.390e5e0.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO_287104.exe.390e5e0.9.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PO_287104.exe.390e5e0.9.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO_287104.exe.390e5e0.9.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PO_287104.exe.392f000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO_287104.exe.392f000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO_287104.exe.392f000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: PO_287104.exe PID: 6156, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PO_287104.exe PID: 6156, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: PO_287104.exe PID: 6196, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PO_287104.exe PID: 6196, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.PO_287104.exe.52c0000.10.raw.unpack, .cs Large array initialization: : array initializer size 33957
Source: 0.2.PO_287104.exe.27570e0.4.raw.unpack, .cs Large array initialization: : array initializer size 33957
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO_287104.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_0271DD4C 0_2_0271DD4C
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_04CD7A28 0_2_04CD7A28
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_04CD0040 0_2_04CD0040
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_04CD0006 0_2_04CD0006
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_04CD79F8 0_2_04CD79F8
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_06BFB0F0 0_2_06BFB0F0
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_06BF21A0 0_2_06BF21A0
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_06BF76D8 0_2_06BF76D8
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_06BF76C8 0_2_06BF76C8
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_06BF55D8 0_2_06BF55D8
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_06BF4D68 0_2_06BF4D68
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_06BF5A10 0_2_06BF5A10
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_06BF51A0 0_2_06BF51A0
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_06BF2193 0_2_06BF2193
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 3_2_013A35C8 3_2_013A35C8
One or more processes crash
Source: C:\Users\user\Desktop\PO_287104.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 1516
Sample file is different than original file name gathered from version info
Source: PO_287104.exe, 00000000.00000002.2041143025.0000000006C10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO_287104.exe
Source: PO_287104.exe, 00000000.00000002.2040556990.00000000052C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs PO_287104.exe
Source: PO_287104.exe, 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PO_287104.exe
Source: PO_287104.exe, 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs PO_287104.exe
Source: PO_287104.exe, 00000000.00000002.2034133150.0000000002731000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dllD vs PO_287104.exe
Source: PO_287104.exe, 00000000.00000002.2034133150.00000000027A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PO_287104.exe
Source: PO_287104.exe, 00000000.00000002.2030095753.00000000009AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO_287104.exe
Source: PO_287104.exe, 00000000.00000000.1994466493.000000000040C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBQdJ.exe4 vs PO_287104.exe
Source: PO_287104.exe, 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PO_287104.exe
Source: PO_287104.exe Binary or memory string: OriginalFilenameBQdJ.exe4 vs PO_287104.exe
Uses 32bit PE files
Source: PO_287104.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PO_287104.exe.392f000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO_287104.exe.392f000.8.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_287104.exe.392f000.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO_287104.exe.392f000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PO_287104.exe.390e5e0.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO_287104.exe.390e5e0.9.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_287104.exe.390e5e0.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO_287104.exe.390e5e0.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PO_287104.exe.392f000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO_287104.exe.392f000.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO_287104.exe.392f000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: PO_287104.exe PID: 6156, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PO_287104.exe PID: 6156, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: PO_287104.exe PID: 6196, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PO_287104.exe PID: 6196, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: PO_287104.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, 2Ac.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, 2Ac.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_287104.exe.5310000.12.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO_287104.exe.5310000.12.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO_287104.exe.392f000.8.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_287104.exe.392f000.8.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_287104.exe.392f000.8.raw.unpack, 2Ac.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_287104.exe.392f000.8.raw.unpack, 2Ac.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, lUhnkxZn6MVWnWuG30.cs Security API names: _0020.SetAccessControl
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, lUhnkxZn6MVWnWuG30.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, lUhnkxZn6MVWnWuG30.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, lUhnkxZn6MVWnWuG30.cs Security API names: _0020.SetAccessControl
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, lUhnkxZn6MVWnWuG30.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, lUhnkxZn6MVWnWuG30.cs Security API names: _0020.AddAccessRule
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, bGBOtPuomQ2YVfeEwZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, bGBOtPuomQ2YVfeEwZ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@19/14@3/6
Source: C:\Users\user\Desktop\PO_287104.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_287104.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6196
Source: C:\Users\user\Desktop\PO_287104.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\8259f0c5-9d69-4278-a569-61ffdf55daa5 Jump to behavior
Source: PO_287104.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO_287104.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PO_287104.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PO_287104.exe ReversingLabs: Detection: 65%
Source: PO_287104.exe Virustotal: Detection: 64%
Source: C:\Users\user\Desktop\PO_287104.exe File read: C:\Users\user\Desktop\PO_287104.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO_287104.exe "C:\Users\user\Desktop\PO_287104.exe"
Source: C:\Users\user\Desktop\PO_287104.exe Process created: C:\Users\user\Desktop\PO_287104.exe "C:\Users\user\Desktop\PO_287104.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2056,i,8737495624509298634,17865193719586568122,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\PO_287104.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 1516
Source: C:\Users\user\Desktop\PO_287104.exe Process created: C:\Users\user\Desktop\PO_287104.exe "C:\Users\user\Desktop\PO_287104.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2056,i,8737495624509298634,17865193719586568122,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Google Drive.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO_287104.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO_287104.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO_287104.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PO_287104.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: BQdJ.pdb source: PO_287104.exe
Source: Binary string: \??\C:\Windows\mscorlib.pdb$y'- source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: System.ni.pdbRSDS source: WER1D13.tmp.dmp.8.dr
Source: Binary string: BQdJ.pdbs\BQdJ.pdbpdbQdJ.pdb source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdbd source: WER1D13.tmp.dmp.8.dr
Source: Binary string: \??\C:\Users\user\Desktop\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2257449414.00000000011BB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER1D13.tmp.dmp.8.dr
Source: Binary string: symbols\exe\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: indows\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2257449414.00000000011C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\exe\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o.pdb source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1D13.tmp.dmp.8.dr
Source: Binary string: oC:\Users\user\Desktop\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: System.Windows.Forms.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.pdbMZ source: WER1D13.tmp.dmp.8.dr
Source: Binary string: BQdJ.pdbon source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n(C:\Windows\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BQdJ.pdbSHA256 source: PO_287104.exe
Source: Binary string: mscorlib.ni.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: C:\Windows\BQdJ.pdbpdbQdJ.pdbI source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: nDC:\Users\user\Desktop\BQdJ.pdb " source: PO_287104.exe, 00000003.00000002.2256827089.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\PO_287104.PDB source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\BQdJ.pdb source: PO_287104.exe, 00000003.00000002.2257449414.00000000011C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1D13.tmp.dmp.8.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbq source: PO_287104.exe, 00000003.00000002.2257449414.00000000011BB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER1D13.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER1D13.tmp.dmp.8.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.PO_287104.exe.5310000.12.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
.NET source code contains potential unpacker
Source: PO_287104.exe, StartWindows.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.PO_287104.exe.52c0000.10.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, lUhnkxZn6MVWnWuG30.cs .Net Code: T3XXiKc9BJZDBafMcnq System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, lUhnkxZn6MVWnWuG30.cs .Net Code: T3XXiKc9BJZDBafMcnq System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO_287104.exe.27570e0.4.raw.unpack, .cs .Net Code: System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_04D031E8 push ebp; retn 0004h 0_2_04D031FC
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_06BF1AB8 pushfd ; ret 0_2_06BF1AB9
Source: C:\Users\user\Desktop\PO_287104.exe Code function: 0_2_06BFC0C3 push eax; retf 0_2_06BFC0CD
Source: PO_287104.exe Static PE information: section name: .text entropy: 7.9335251724072196
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, tRNPucHWD8l9ZAjAcV.cs High entropy of concatenated method names: 'FbvbQGBOtP', 'qmQbZ2YVfe', 'W70b5achUQ', 'putbXU4aIh', 'kyXbxhFctA', 'nvlbk4il2N', 'merN0ZJxRJgFaJLFFM', 'nANOy3bZeafisrgQHP', 'D59bbA8SE3', 'lDgb1fC2IR'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, XkliNQaQXIVLUQ3lyu.cs High entropy of concatenated method names: 'lnkxTp0TCB', 'J5UxdfkivN', 'mjuxaCyARB', 'pJ0x9SicrN', 'p5nxEFLeg1', 'ASixPGuVA2', 'bvZxLkUnxi', 'YdFxlYHB4a', 'S46x0wahuT', 'eMFxrXidVb'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, L64CgyhkimgwGZCcNW.cs High entropy of concatenated method names: 'Dispose', 'WUgb3Fj84R', 'XIsvEMpIHe', 'XuoaaeNDvg', 'yEKbIdIYVQ', 'Oy0bzOrTsf', 'ProcessDialogKey', 'W85vjkQexN', 'RG2vbhMTFv', 'JQsvviHvdK'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, lUhnkxZn6MVWnWuG30.cs High entropy of concatenated method names: 'yIE1FsaK9O', 'tC71f174Jv', 'jOn1hPosYG', 'r0r1YYTRD9', 'wIp1eQHmPU', 'zym1iLTKxf', 'OnZ1QHiry8', 'Ii71ZQyTHl', 'Dqn1JrRUuh', 'JEW15iP6pK'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, jNgEndCxj8sZT9u3Pl.cs High entropy of concatenated method names: 'ILfQMFyLmv', 'avgQcoxTOK', 'wiWQysE4jN', 'rmyQVHVUVL', 'iqeQ7SptbF', 'p5eQOkiy79', 'PmAQADUCXy', 'z03QuySAGs', 'UC4QgeYIPM', 'KTpQ6rci98'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, waIhBJ67NkUrXZyXhF.cs High entropy of concatenated method names: 'xp6e78kDsR', 'NB2eAJNc0X', 'sSLYPTs7Ya', 'CruYLWrDuK', 'KOfYlaUR9t', 'Nb5Y07VDhW', 'vsuYrwj5Fe', 'C5DYsokM2D', 'VwWYCVnajw', 'xRWYTet6aY'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, wZMDg9vYm5bCddm6F0.cs High entropy of concatenated method names: 'i9syYkOeF', 'ChFVVPBLw', 'csmOOGSM4', 'HEnAWp1ou', 'G74grdcpe', 'sbD6OPxlb', 'xZIRB4PGFg3N88cmr8', 'sCnLSYpKhwsC9Ni8xG', 'B4OKiCQJA', 'N67q4q9JZ'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, vWxV7lGoT7Fxp2qDr2.cs High entropy of concatenated method names: 'ToString', 'su5kWiOaON', 'qYakEZ6s7T', 'adakPPVJES', 'ya5kL3lIkF', 'wtpkluL43G', 'tXGk0uwxfF', 'RpdkrbKQcM', 'uDHkstsPXb', 'u1xkCmSYdm'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, gavUgmg70achUQkutU.cs High entropy of concatenated method names: 'PkhYVLctl4', 'MmtYOZ5vIs', 'flDYuOXS63', 'pwRYgaEFgK', 'MFxYxGo0VP', 'dHBYkvhiip', 'ryIYolw2rm', 'PA5YK2rtY7', 'pHRYB5SqFp', 'fFqYqKtBCx'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, G7mS8ZSvvUGCyYaqAA.cs High entropy of concatenated method names: 'Ya1puZ0U46', 'ot6pgyipxS', 'mR5ptLUQiv', 'hLTpETV6oR', 'QdepLhVHuw', 'I3Bpl7Qvlm', 'sxwprr32sl', 'unBpsJPnD9', 'B4qpTZQtIS', 'bYfpWVboU7'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, Fu6HyLY5y6iT8dlDru.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pNUv3bbBrI', 'pLDvIbKqtk', 'Ldvvz22Dip', 'nyT1ju0Vlk', 'rmo1bf8nJy', 'P1C1vUpKHv', 'QF511eWOuY', 'abI1dMcIrH7QBaLCO4p'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, LCSZEeb1bh6K4ZZL4wv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ihLqaM5Cam', 'YBjq9iJ5td', 'spmqGSWO68', 'cZMqDoejEO', 'kHHqNxdFbI', 'ROXqRsPg6G', 'CeIq2OL2AR'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, SwIC4kRyYPUMjn1cNh.cs High entropy of concatenated method names: 'ejhomfX0eR', 'k35oIVf5m7', 'wClKj5Yp67', 'OVWKb7i2b4', 'YatoWdMxLE', 'KFXod8vfVo', 'TBnoSSJILc', 'BP7oacfn7B', 'kXeo9lLwr8', 'G98oG955Lk'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, iHvdKBI9eXi4igEkYy.cs High entropy of concatenated method names: 'eMxBb5y0fs', 'iVNB12Wr5T', 'xBGBHkknls', 'w6tBfqJS1n', 'NnIBhTfxM2', 'P63BeD8IPo', 'i25BiBjMZV', 'elxK28UAqy', 'FIqKm9LETW', 'ijiK3o3GlH'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, ObuQ3TErnEuLYWf4Xa.cs High entropy of concatenated method names: 'EQ8lopn18Z5EAVl9WQ6', 'yQAkBIn4brJsoS7iLGT', 'eEuiKpBZts', 'ywmiBATKRo', 'egTiqDK2hm', 'u3jHvanqGLuQGx3k0rx', 'qpxpa4nGjjr7qMSFhoO'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, GwOVJ3Du5ZBuW6bs8P.cs High entropy of concatenated method names: 'Q65o5b0WuZ', 'rthoXFAO8p', 'ToString', 'bY2ofn6vQ6', 'opfohhE2Bp', 'lTwoY1ufJN', 'z5Soen2VxF', 'n7IoieB5B1', 'PxToQCswOS', 'p98oZqZo2H'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, bGBOtPuomQ2YVfeEwZ.cs High entropy of concatenated method names: 'LhghafbUnT', 'qYGh9gmVnI', 'b4ThGTsAIg', 'cbChDm0Uh7', 'Ak8hNk1Xfq', 'ntehR5OLjp', 'LJWh2RsIfI', 'ipjhmmUkw2', 'XkNh3qVu0a', 'dhDhIIYnnH'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, ztApvlt4il2NRwsLEF.cs High entropy of concatenated method names: 'RxCiFa01t9', 'TE4iheqbXX', 'M0aie4qHOF', 'mnYiQJ9qdL', 'rWOiZRfO1Z', 'APLeNg4v3H', 'Pn6eRxXhUn', 'D8Je2tMZlQ', 'u3JemNFb60', 'NRIe3JtK83'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, HKdIYVmQWy0OrTsf28.cs High entropy of concatenated method names: 'dROKfJrc9A', 'KrcKhMYKdI', 'ksSKYABv9D', 'Sw2KeXuaCN', 'gbpKi4mYSq', 'ue9KQhIEhA', 'MAmKZK2Wlr', 'b7wKJoFYXU', 'AhPK5hP0YF', 'wVhKXb74sB'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, hXAWlqrFWmy2Xytb4g.cs High entropy of concatenated method names: 'auwQf6X49D', 'IqQQY35188', 'dVoQihIP3N', 'Ee8iI4grZ9', 'KhWiz650we', 'BYYQjB5thO', 'PClQbeQI51', 'VMoQvFhhyP', 'mXIQ1f5sWb', 'PCFQHwthTP'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, G8Mhk0bj23wLCvtwSE3.cs High entropy of concatenated method names: 'DnkBMHW9qW', 'r98BcTcFE2', 'fsVByFkIMo', 'fu9BV6PxtN', 'JxaB75IgLK', 'hSGBOasjpI', 'UrkBAEko5Z', 'wMkBunqyHH', 'QhvBgSnTi3', 'UIpB6BMhEy'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, eFKkB5zN7g07YVwWym.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W3cBpqTEHM', 'KfdBxl2Pb0', 'UWHBk597MZ', 'L4iBosABlP', 'PccBKSnctL', 'oooBB15hvd', 'NfIBqhKxCY'
Source: 0.2.PO_287104.exe.6c10000.13.raw.unpack, lkQexN39G2hMTFvlQs.cs High entropy of concatenated method names: 'M1nKtOGC5c', 'OHWKEXmTpq', 'Up9KPVgWFd', 'I3HKLe9VGo', 'DtCKalpKUm', 'aEaKlpk7i7', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO_287104.exe.5310000.12.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, tRNPucHWD8l9ZAjAcV.cs High entropy of concatenated method names: 'FbvbQGBOtP', 'qmQbZ2YVfe', 'W70b5achUQ', 'putbXU4aIh', 'kyXbxhFctA', 'nvlbk4il2N', 'merN0ZJxRJgFaJLFFM', 'nANOy3bZeafisrgQHP', 'D59bbA8SE3', 'lDgb1fC2IR'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, XkliNQaQXIVLUQ3lyu.cs High entropy of concatenated method names: 'lnkxTp0TCB', 'J5UxdfkivN', 'mjuxaCyARB', 'pJ0x9SicrN', 'p5nxEFLeg1', 'ASixPGuVA2', 'bvZxLkUnxi', 'YdFxlYHB4a', 'S46x0wahuT', 'eMFxrXidVb'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, L64CgyhkimgwGZCcNW.cs High entropy of concatenated method names: 'Dispose', 'WUgb3Fj84R', 'XIsvEMpIHe', 'XuoaaeNDvg', 'yEKbIdIYVQ', 'Oy0bzOrTsf', 'ProcessDialogKey', 'W85vjkQexN', 'RG2vbhMTFv', 'JQsvviHvdK'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, lUhnkxZn6MVWnWuG30.cs High entropy of concatenated method names: 'yIE1FsaK9O', 'tC71f174Jv', 'jOn1hPosYG', 'r0r1YYTRD9', 'wIp1eQHmPU', 'zym1iLTKxf', 'OnZ1QHiry8', 'Ii71ZQyTHl', 'Dqn1JrRUuh', 'JEW15iP6pK'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, jNgEndCxj8sZT9u3Pl.cs High entropy of concatenated method names: 'ILfQMFyLmv', 'avgQcoxTOK', 'wiWQysE4jN', 'rmyQVHVUVL', 'iqeQ7SptbF', 'p5eQOkiy79', 'PmAQADUCXy', 'z03QuySAGs', 'UC4QgeYIPM', 'KTpQ6rci98'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, waIhBJ67NkUrXZyXhF.cs High entropy of concatenated method names: 'xp6e78kDsR', 'NB2eAJNc0X', 'sSLYPTs7Ya', 'CruYLWrDuK', 'KOfYlaUR9t', 'Nb5Y07VDhW', 'vsuYrwj5Fe', 'C5DYsokM2D', 'VwWYCVnajw', 'xRWYTet6aY'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, wZMDg9vYm5bCddm6F0.cs High entropy of concatenated method names: 'i9syYkOeF', 'ChFVVPBLw', 'csmOOGSM4', 'HEnAWp1ou', 'G74grdcpe', 'sbD6OPxlb', 'xZIRB4PGFg3N88cmr8', 'sCnLSYpKhwsC9Ni8xG', 'B4OKiCQJA', 'N67q4q9JZ'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, vWxV7lGoT7Fxp2qDr2.cs High entropy of concatenated method names: 'ToString', 'su5kWiOaON', 'qYakEZ6s7T', 'adakPPVJES', 'ya5kL3lIkF', 'wtpkluL43G', 'tXGk0uwxfF', 'RpdkrbKQcM', 'uDHkstsPXb', 'u1xkCmSYdm'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, gavUgmg70achUQkutU.cs High entropy of concatenated method names: 'PkhYVLctl4', 'MmtYOZ5vIs', 'flDYuOXS63', 'pwRYgaEFgK', 'MFxYxGo0VP', 'dHBYkvhiip', 'ryIYolw2rm', 'PA5YK2rtY7', 'pHRYB5SqFp', 'fFqYqKtBCx'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, G7mS8ZSvvUGCyYaqAA.cs High entropy of concatenated method names: 'Ya1puZ0U46', 'ot6pgyipxS', 'mR5ptLUQiv', 'hLTpETV6oR', 'QdepLhVHuw', 'I3Bpl7Qvlm', 'sxwprr32sl', 'unBpsJPnD9', 'B4qpTZQtIS', 'bYfpWVboU7'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, Fu6HyLY5y6iT8dlDru.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pNUv3bbBrI', 'pLDvIbKqtk', 'Ldvvz22Dip', 'nyT1ju0Vlk', 'rmo1bf8nJy', 'P1C1vUpKHv', 'QF511eWOuY', 'abI1dMcIrH7QBaLCO4p'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, LCSZEeb1bh6K4ZZL4wv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ihLqaM5Cam', 'YBjq9iJ5td', 'spmqGSWO68', 'cZMqDoejEO', 'kHHqNxdFbI', 'ROXqRsPg6G', 'CeIq2OL2AR'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, SwIC4kRyYPUMjn1cNh.cs High entropy of concatenated method names: 'ejhomfX0eR', 'k35oIVf5m7', 'wClKj5Yp67', 'OVWKb7i2b4', 'YatoWdMxLE', 'KFXod8vfVo', 'TBnoSSJILc', 'BP7oacfn7B', 'kXeo9lLwr8', 'G98oG955Lk'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, iHvdKBI9eXi4igEkYy.cs High entropy of concatenated method names: 'eMxBb5y0fs', 'iVNB12Wr5T', 'xBGBHkknls', 'w6tBfqJS1n', 'NnIBhTfxM2', 'P63BeD8IPo', 'i25BiBjMZV', 'elxK28UAqy', 'FIqKm9LETW', 'ijiK3o3GlH'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, ObuQ3TErnEuLYWf4Xa.cs High entropy of concatenated method names: 'EQ8lopn18Z5EAVl9WQ6', 'yQAkBIn4brJsoS7iLGT', 'eEuiKpBZts', 'ywmiBATKRo', 'egTiqDK2hm', 'u3jHvanqGLuQGx3k0rx', 'qpxpa4nGjjr7qMSFhoO'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, GwOVJ3Du5ZBuW6bs8P.cs High entropy of concatenated method names: 'Q65o5b0WuZ', 'rthoXFAO8p', 'ToString', 'bY2ofn6vQ6', 'opfohhE2Bp', 'lTwoY1ufJN', 'z5Soen2VxF', 'n7IoieB5B1', 'PxToQCswOS', 'p98oZqZo2H'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, bGBOtPuomQ2YVfeEwZ.cs High entropy of concatenated method names: 'LhghafbUnT', 'qYGh9gmVnI', 'b4ThGTsAIg', 'cbChDm0Uh7', 'Ak8hNk1Xfq', 'ntehR5OLjp', 'LJWh2RsIfI', 'ipjhmmUkw2', 'XkNh3qVu0a', 'dhDhIIYnnH'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, ztApvlt4il2NRwsLEF.cs High entropy of concatenated method names: 'RxCiFa01t9', 'TE4iheqbXX', 'M0aie4qHOF', 'mnYiQJ9qdL', 'rWOiZRfO1Z', 'APLeNg4v3H', 'Pn6eRxXhUn', 'D8Je2tMZlQ', 'u3JemNFb60', 'NRIe3JtK83'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, HKdIYVmQWy0OrTsf28.cs High entropy of concatenated method names: 'dROKfJrc9A', 'KrcKhMYKdI', 'ksSKYABv9D', 'Sw2KeXuaCN', 'gbpKi4mYSq', 'ue9KQhIEhA', 'MAmKZK2Wlr', 'b7wKJoFYXU', 'AhPK5hP0YF', 'wVhKXb74sB'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, hXAWlqrFWmy2Xytb4g.cs High entropy of concatenated method names: 'auwQf6X49D', 'IqQQY35188', 'dVoQihIP3N', 'Ee8iI4grZ9', 'KhWiz650we', 'BYYQjB5thO', 'PClQbeQI51', 'VMoQvFhhyP', 'mXIQ1f5sWb', 'PCFQHwthTP'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, G8Mhk0bj23wLCvtwSE3.cs High entropy of concatenated method names: 'DnkBMHW9qW', 'r98BcTcFE2', 'fsVByFkIMo', 'fu9BV6PxtN', 'JxaB75IgLK', 'hSGBOasjpI', 'UrkBAEko5Z', 'wMkBunqyHH', 'QhvBgSnTi3', 'UIpB6BMhEy'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, eFKkB5zN7g07YVwWym.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'W3cBpqTEHM', 'KfdBxl2Pb0', 'UWHBk597MZ', 'L4iBosABlP', 'PccBKSnctL', 'oooBB15hvd', 'NfIBqhKxCY'
Source: 0.2.PO_287104.exe.3a46fd0.7.raw.unpack, lkQexN39G2hMTFvlQs.cs High entropy of concatenated method names: 'M1nKtOGC5c', 'OHWKEXmTpq', 'Up9KPVgWFd', 'I3HKLe9VGo', 'DtCKalpKUm', 'aEaKlpk7i7', 'Next', 'Next', 'Next', 'NextBytes'
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PO_287104.exe PID: 6156, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PO_287104.exe Memory allocated: DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Memory allocated: 2730000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Memory allocated: DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Memory allocated: 73B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Memory allocated: 83B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Memory allocated: 8560000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Memory allocated: 9560000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Memory allocated: 1350000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Memory allocated: 2DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Memory allocated: 4DB0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO_287104.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO_287104.exe TID: 5720 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: PO_287104.exe, 00000003.00000002.2257122086.0000000001106000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmeri6
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\PO_287104.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PO_287104.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\PO_287104.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PO_287104.exe Memory written: C:\Users\user\Desktop\PO_287104.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO_287104.exe Process created: C:\Users\user\Desktop\PO_287104.exe "C:\Users\user\Desktop\PO_287104.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO_287104.exe Queries volume information: C:\Users\user\Desktop\PO_287104.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Queries volume information: C:\Users\user\Desktop\PO_287104.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_287104.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.PO_287104.exe.5310000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.5310000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.2c29358.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.2c28340.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.2c07714.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2040667490.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2034133150.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.392f000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.390e5e0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.392f000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2258181330.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_287104.exe PID: 6156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO_287104.exe PID: 6196, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.392f000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.390e5e0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.392f000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_287104.exe PID: 6156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO_287104.exe PID: 6196, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.PO_287104.exe.5310000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.5310000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.2c29358.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.2c28340.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.2c07714.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2040667490.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2034133150.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 3.2.PO_287104.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.392f000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.390e5e0.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.392f000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_287104.exe.390e5e0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2255807328.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2258181330.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2035283049.000000000390E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_287104.exe PID: 6156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO_287104.exe PID: 6196, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435150 Sample: PO_287104.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 21 checkip.dyndns.org 2->21 23 checkip.dyndns.com 2->23 35 Multi AV Scanner detection for domain / URL 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 11 other signatures 2->41 8 PO_287104.exe 3 2->8         started        11 chrome.exe 9 2->11         started        signatures3 process4 dnsIp5 43 Injects a PE file into a foreign processes 8->43 14 PO_287104.exe 15 2 8->14         started        25 192.168.2.4 unknown unknown 11->25 27 192.168.2.5, 443, 49703, 49708 unknown unknown 11->27 29 2 other IPs or domains 11->29 17 chrome.exe 11->17         started        signatures6 process7 dnsIp8 31 checkip.dyndns.com 193.122.130.0, 49708, 80 ORACLE-BMC-31898US United States 14->31 19 WerFault.exe 19 16 14->19         started        33 www.google.com 142.251.35.164, 443, 49712, 49713 GOOGLEUS United States 17->33 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
193.122.130.0
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
239.255.255.250
 unknown Reserved
unknown unknown false
142.251.35.164
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.4
192.168.2.6
192.168.2.5

Contacted Domains

Name IP Active
www.google.com 142.251.35.164 true
checkip.dyndns.com 193.122.130.0 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/async/ddljson?async=ntp:2 false
    		high
    https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMrazLEGIjBZUN1Vqkwi12TG-vYHko3v5bGLhfMhQg1bQ3rJ4hZy5IkSprSYJZZ7YfDKBTYYOVsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
      		high
      https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
        		high
        http://checkip.dyndns.org/ false
        • URL Reputation: safe
        • URL Reputation: safe
        		 unknown
        https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMrazLEGIjAtDLKtaW7imy5MSBR16Nr2fdKnHvcFaleWOY1c1TY4DlJgIX8p-mGA1aAPz9kdujYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
          		high
          https://www.google.com/async/newtab_promos false
            		high
            https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
              		high