Managed XDR

pohotsviewer.jpg.zip — malware analysis report

File info

Filename: pohotsviewer.jpg.zip
File type: Zip archive data, at least v2.0 to extract
File size: 1.8 MB
First seen: 2026-05-20 03:52
Last seen: 2026-06-18 00:09

Environment

w10/x64 en

Hashes

SHA1: b419c07ead0265759cd60d3ad7c275e12a9439dc
SHA256: 0ee51c146327c788f77576372d1f06ae200c462019d58a2e76922b2ce59a0801
MD5: b8773d3c1449d60a0ef29ac6162fbb73

Signatures

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1204.002 mimics_extension: Attempts to mimic the file extension

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1036 mimics_extension: Attempts to mimic the file extension

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Credential Access

T1056.001 infostealer_keylogger: Keylogger (intercepts keystrokes)

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1057 has_wmi: Executes one or several WMI requests

T1082 has_wmi: Executes one or several WMI requests

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Collection

T1056.001 infostealer_keylogger: Keylogger (intercepts keystrokes)

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

network_bind: Starts servers listening at None

only_exec_in_archive: The archive contains only an executable file

no_graphical_activity: No graphic activity

create_rpc_bindings: Creates RPC connection

require_administrator: Requests administrator privileges

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

yara_rules: Static rules

Managed XDR