Windows Analysis Report
PsBygexGwH.exe

Overview

General Information

Sample name: PsBygexGwH.exe
renamed because original name is a hash value
Original sample name: f36cebf205cb95b23bea11f15356461b51b40cd0bd586e5c5f151a6396a6151a.exe
Analysis ID: 1422242
MD5: 222d05295014f8974d6e358e1507770e
SHA1: d1475a87d8aad1852eda1ac93ebb0bbbb1f08e0b
SHA256: f36cebf205cb95b23bea11f15356461b51b40cd0bd586e5c5f151a6396a6151a
Tags: exe
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Snake Keylogger
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Potentially malicious time measurement code found
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://scratchdreams.tk Avira URL Cloud: Label: malware
Source: https://scratchdreams.tk/_send_.php?TS Avira URL Cloud: Label: malware
Source: http://scratchdreams.tk Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Host": "mail.daipro.com.mx", "Port": "587"}
Multi AV Scanner detection for domain / URL
Source: scratchdreams.tk Virustotal: Detection: 6% Perma Link
Source: https://scratchdreams.tk Virustotal: Detection: 15% Perma Link
Source: http://scratchdreams.tk Virustotal: Detection: 6% Perma Link
Source: https://scratchdreams.tk/_send_.php?TS Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for submitted file
Source: PsBygexGwH.exe ReversingLabs: Detection: 65%
Source: PsBygexGwH.exe Virustotal: Detection: 70% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\directory\name.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PsBygexGwH.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PsBygexGwH.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49738 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49754 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: Binary string: wntdll.pdbUGP source: name.exe, 00000006.00000003.2997844990.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2997193126.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3128087132.0000000004290000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3129130563.0000000004120000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: name.exe, 00000006.00000003.2997844990.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2997193126.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3128087132.0000000004290000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3129130563.0000000004120000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0018DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0018DBBE
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001968EE FindFirstFileW,FindClose, 0_2_001968EE
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0019698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_0019698F
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0018D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0018D076
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0018D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0018D3A9
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00199642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00199642
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0019979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0019979D
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00199B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00199B2B
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00195C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00195C97
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0032DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 6_2_0032DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_003368EE FindFirstFileW,FindClose, 6_2_003368EE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0033698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 6_2_0033698F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0032D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_0032D076
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0032D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_0032D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00339642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00339642
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0033979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_0033979D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00339B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 6_2_00339B2B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00335C97 FindFirstFileW,FindNextFileW,FindClose, 6_2_00335C97
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 008EFCD1h 7_2_008EFA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 008EEFDDh 7_2_008EEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 008EF967h 7_2_008EEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_008EE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_008EE943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_008EEB23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7CB61h 7_2_04F7C8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F70751h 7_2_04F704A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7C709h 7_2_04F7C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7F6D1h 7_2_04F7F428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7D869h 7_2_04F7D5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F71011h 7_2_04F70D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7CFB9h 7_2_04F7CD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F715D8h 7_2_04F71506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7E119h 7_2_04F7DE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7F279h 7_2_04F7EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7BA01h 7_2_04F7B758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7E9C9h 7_2_04F7E720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7FB29h 7_2_04F7F880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F702F1h 7_2_04F70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7C2B1h 7_2_04F7C008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F715D8h 7_2_04F711C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7D411h 7_2_04F7D168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F70BB1h 7_2_04F70900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7E571h 7_2_04F7E2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7DCC1h 7_2_04F7DA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7BE59h 7_2_04F7BBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7EE21h 7_2_04F7EB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 04F7B5A9h 7_2_04F7B300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06058945h 7_2_06058608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 060558C1h 7_2_06055618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06055D19h 7_2_06055A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_060536CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06056171h 7_2_06055EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 060565C9h 7_2_06056320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06056A21h 7_2_06056778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_060533A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 7_2_060533B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06056E79h 7_2_06056BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 060502E9h 7_2_06050040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 060572FAh 7_2_06057050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06050741h 7_2_06050498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06057751h 7_2_060574A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06050B99h 7_2_060508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06057BA9h 7_2_06057900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06050FF1h 7_2_06050D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06058001h 7_2_06057D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06055441h 7_2_06055198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06058459h 7_2_060581B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00AFFCD1h 10_2_00AFFA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00AFEFDDh 10_2_00AFEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 00AFF967h 10_2_00AFEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 10_2_00AFE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 10_2_00AFE943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 10_2_00AFEB23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06378945h 10_2_06378608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 063758C1h 10_2_06375618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06375D19h 10_2_06375A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06376171h 10_2_06375EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 063765C9h 10_2_06376320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06376A21h 10_2_06376778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 10_2_063733B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 10_2_063733A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06376E79h 10_2_06376BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 063772FAh 10_2_06377050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 063702E9h 10_2_06370040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06377751h 10_2_063774A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06370741h 10_2_06370498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06370B99h 10_2_063708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06377BA9h 10_2_06377900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06378001h 10_2_06377D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06370FF1h 10_2_06370D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06378459h 10_2_063781B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 06375441h 10_2_06375198

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View IP Address: 172.67.177.134 172.67.177.134
Source: Joe Sandbox View IP Address: 104.21.27.85 104.21.27.85
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49738 version: TLS 1.0
Source: unknown HTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.4:49754 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0019CE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 0_2_0019CE44
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/102.129.152.231 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /_send_.php?TS HTTP/1.1Host: scratchdreams.tkConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com(
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026D2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000025FC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002985000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: name.exe, 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002620000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000270E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://scratchdreams.tk
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: name.exe, 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002608000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, name.exe, 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028BB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000269B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000264B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026B7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002700000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000026A9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002977000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000295C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.000000000294A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000028FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002969000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/102.129.152.231$
Source: name.exe, 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000270E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, name.exe, 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000270E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.00000000029C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scratchdreams.tk/_send_.php?TS
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.27.85:443 -> 192.168.2.4:49768 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0019EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0019EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0019ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0019ED6A
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0033ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 6_2_0033ED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0019EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0019EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0018AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_0018AA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001B9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_001B9576
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00359576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 6_2_00359576

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 5444, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: PsBygexGwH.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PsBygexGwH.exe, 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_6544cbe5-d
Source: PsBygexGwH.exe, 00000000.00000002.2975113061.00000000001E2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_b7a97d05-4
Source: PsBygexGwH.exe, 00000000.00000003.2959475074.0000000004101000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_ce91a3ca-8
Source: PsBygexGwH.exe, 00000000.00000003.2959475074.0000000004101000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_c94f0853-9
Source: name.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000006.00000002.2999789475.0000000000382000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_1a9718ee-0
Source: name.exe, 00000006.00000002.2999789475.0000000000382000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_4538d9ec-a
Source: name.exe, 00000009.00000000.3104924286.0000000000382000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_4b00458a-0
Source: name.exe, 00000009.00000000.3104924286.0000000000382000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_0f2108f5-4
Source: PsBygexGwH.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_f24d0a11-c
Source: PsBygexGwH.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_99a18de8-d
Source: name.exe.0.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_63133954-6
Source: name.exe.0.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_d1731f20-b
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\PsBygexGwH.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0018D5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_0018D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00181201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00181201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0018E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_0018E8F6
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0032E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 6_2_0032E8F6
Detected potential crypto function
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00192046 0_2_00192046
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00128060 0_2_00128060
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00188298 0_2_00188298
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0015E4FF 0_2_0015E4FF
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0015676B 0_2_0015676B
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001B4873 0_2_001B4873
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0014CAA0 0_2_0014CAA0
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0012CAF0 0_2_0012CAF0
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0013CC39 0_2_0013CC39
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00156DD9 0_2_00156DD9
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0013B119 0_2_0013B119
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001291C0 0_2_001291C0
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00141394 0_2_00141394
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00141706 0_2_00141706
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0014781B 0_2_0014781B
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00127920 0_2_00127920
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0013997D 0_2_0013997D
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001419B0 0_2_001419B0
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00147A4A 0_2_00147A4A
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00141C77 0_2_00141C77
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00147CA7 0_2_00147CA7
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001ABE44 0_2_001ABE44
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00159EEE 0_2_00159EEE
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00141F32 0_2_00141F32
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_023C37C0 0_2_023C37C0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002C8060 6_2_002C8060
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00332046 6_2_00332046
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00328298 6_2_00328298
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002FE4FF 6_2_002FE4FF
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002F676B 6_2_002F676B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00354873 6_2_00354873
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002ECAA0 6_2_002ECAA0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002CCAF0 6_2_002CCAF0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002DCC39 6_2_002DCC39
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002F6DD9 6_2_002F6DD9
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002DD065 6_2_002DD065
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002C90BC 6_2_002C90BC
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002DB119 6_2_002DB119
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002C91C0 6_2_002C91C0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E1394 6_2_002E1394
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E1706 6_2_002E1706
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E781B 6_2_002E781B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002C7920 6_2_002C7920
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002D997D 6_2_002D997D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E19B0 6_2_002E19B0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E7A4A 6_2_002E7A4A
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E1C77 6_2_002E1C77
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E7CA7 6_2_002E7CA7
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00313CD5 6_2_00313CD5
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0034BE44 6_2_0034BE44
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002F9EEE 6_2_002F9EEE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E1F32 6_2_002E1F32
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002CBF40 6_2_002CBF40
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_039037C0 6_2_039037C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008EC1F0 7_2_008EC1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008E6168 7_2_008E6168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008EB388 7_2_008EB388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008EC4D0 7_2_008EC4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008EC7B2 7_2_008EC7B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008E98B8 7_2_008E98B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008E68E0 7_2_008E68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008ECA92 7_2_008ECA92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008EFA10 7_2_008EFA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008E4B31 7_2_008E4B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008EBC32 7_2_008EBC32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008EEDF0 7_2_008EEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008EBF10 7_2_008EBF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008EE300 7_2_008EE300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008EE310 7_2_008EE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008E35CA 7_2_008E35CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008EB552 7_2_008EB552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F73688 7_2_04F73688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7C8B8 7_2_04F7C8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F78278 7_2_04F78278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F77BA8 7_2_04F77BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F704A0 7_2_04F704A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F70490 7_2_04F70490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7C460 7_2_04F7C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7C450 7_2_04F7C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7F428 7_2_04F7F428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7F418 7_2_04F7F418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7D5C0 7_2_04F7D5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7D5B0 7_2_04F7D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F70D60 7_2_04F70D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F70D50 7_2_04F70D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7CD10 7_2_04F7CD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7CD02 7_2_04F7CD02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7DE70 7_2_04F7DE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F73678 7_2_04F73678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7DE61 7_2_04F7DE61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7BFF8 7_2_04F7BFF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7EFD0 7_2_04F7EFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7EFC1 7_2_04F7EFC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7B758 7_2_04F7B758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7B748 7_2_04F7B748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7E720 7_2_04F7E720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7E710 7_2_04F7E710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F708F1 7_2_04F708F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7C8A8 7_2_04F7C8A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7F880 7_2_04F7F880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7F871 7_2_04F7F871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F70040 7_2_04F70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7001F 7_2_04F7001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7C008 7_2_04F7C008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7D168 7_2_04F7D168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7D158 7_2_04F7D158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F70900 7_2_04F70900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7B2EF 7_2_04F7B2EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7E2C8 7_2_04F7E2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7E2B8 7_2_04F7E2B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7DA18 7_2_04F7DA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F77200 7_2_04F77200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7DA09 7_2_04F7DA09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7BBB0 7_2_04F7BBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7BBA0 7_2_04F7BBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7EB78 7_2_04F7EB78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7EB68 7_2_04F7EB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7B300 7_2_04F7B300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06058608 7_2_06058608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605AA58 7_2_0605AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605D670 7_2_0605D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605B6E8 7_2_0605B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06058B58 7_2_06058B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605C388 7_2_0605C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605A408 7_2_0605A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605D028 7_2_0605D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605B0A0 7_2_0605B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605BD38 7_2_0605BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_060511A0 7_2_060511A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605C9D8 7_2_0605C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06058602 7_2_06058602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605560A 7_2_0605560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06055618 7_2_06055618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605AA48 7_2_0605AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06055A60 7_2_06055A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605D662 7_2_0605D662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06055A70 7_2_06055A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06055EB8 7_2_06055EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06055EC8 7_2_06055EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605B6D8 7_2_0605B6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06056312 7_2_06056312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06056320 7_2_06056320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06053730 7_2_06053730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06056768 7_2_06056768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06056778 7_2_06056778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605C378 7_2_0605C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_060533A8 7_2_060533A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_060533B8 7_2_060533B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06056BC1 7_2_06056BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06056BD0 7_2_06056BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605A3FA 7_2_0605A3FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06052807 7_2_06052807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06050006 7_2_06050006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06052818 7_2_06052818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605D018 7_2_0605D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06054430 7_2_06054430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06050040 7_2_06050040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06057049 7_2_06057049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06057050 7_2_06057050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06050488 7_2_06050488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06057497 7_2_06057497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605B090 7_2_0605B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06050498 7_2_06050498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_060574A8 7_2_060574A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_060508E0 7_2_060508E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_060508F0 7_2_060508F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_060578F0 7_2_060578F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06057900 7_2_06057900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605BD28 7_2_0605BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06050D39 7_2_06050D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06050D48 7_2_06050D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06057D48 7_2_06057D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06057D58 7_2_06057D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605518A 7_2_0605518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06051191 7_2_06051191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06055198 7_2_06055198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_060581A0 7_2_060581A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_060581B0 7_2_060581B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0605C9C8 7_2_0605C9C8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 9_2_03D437C0 9_2_03D437C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AFC1F0 10_2_00AFC1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AF6168 10_2_00AF6168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AFC4D3 10_2_00AFC4D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AFB500 10_2_00AFB500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AFC7B1 10_2_00AFC7B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AF6790 10_2_00AF6790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AF98B8 10_2_00AF98B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AFCA91 10_2_00AFCA91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AFFA10 10_2_00AFFA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AF4B31 10_2_00AF4B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AFEDF0 10_2_00AFEDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AFBF10 10_2_00AFBF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AFE300 10_2_00AFE300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AFE310 10_2_00AFE310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AF35C8 10_2_00AF35C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06378608 10_2_06378608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637D670 10_2_0637D670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637AA58 10_2_0637AA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637B6E8 10_2_0637B6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637C388 10_2_0637C388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637D028 10_2_0637D028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637A408 10_2_0637A408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06378C51 10_2_06378C51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637B0A0 10_2_0637B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637BD38 10_2_0637BD38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_063711A0 10_2_063711A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637C9D8 10_2_0637C9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06375618 10_2_06375618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637560A 10_2_0637560A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06375A70 10_2_06375A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637D663 10_2_0637D663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06375A60 10_2_06375A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637AA48 10_2_0637AA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06375EB8 10_2_06375EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637B6D8 10_2_0637B6D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06375EC8 10_2_06375EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06373730 10_2_06373730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06376320 10_2_06376320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06376312 10_2_06376312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06376778 10_2_06376778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637C378 10_2_0637C378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637676A 10_2_0637676A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_063733B8 10_2_063733B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_063733A8 10_2_063733A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637A3FA 10_2_0637A3FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06376BD0 10_2_06376BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06376BC1 10_2_06376BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06374430 10_2_06374430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06372818 10_2_06372818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637D018 10_2_0637D018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06372807 10_2_06372807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06370006 10_2_06370006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06377050 10_2_06377050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06370040 10_2_06370040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06377040 10_2_06377040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_063774A8 10_2_063774A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06377497 10_2_06377497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637B090 10_2_0637B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06370498 10_2_06370498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06370488 10_2_06370488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_063708F0 10_2_063708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_063778F0 10_2_063778F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_063708E0 10_2_063708E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06370D39 10_2_06370D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637BD28 10_2_0637BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06377900 10_2_06377900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06377D58 10_2_06377D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06370D48 10_2_06370D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06377D48 10_2_06377D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_063781B0 10_2_063781B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_063781A0 10_2_063781A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06371191 10_2_06371191
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_06375198 10_2_06375198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637518A 10_2_0637518A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_063785FC 10_2_063785FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_0637C9C8 10_2_0637C9C8
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: String function: 0013F9F2 appears 31 times
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: String function: 00140A30 appears 46 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 002DF9F2 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 002E0A30 appears 46 times
Tries to load missing DLLs
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wldp.dll Jump to behavior
Uses 32bit PE files
Source: PsBygexGwH.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 5444, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 6.2.name.exe.3910000.1.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.name.exe.3910000.1.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.name.exe.3910000.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.name.exe.3910000.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.name.exe.40c0000.1.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.name.exe.40c0000.1.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.name.exe.40c0000.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.name.exe.40c0000.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@10/10@3/3
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001937B5 GetLastError,FormatMessageW, 0_2_001937B5
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001810BF AdjustTokenPrivileges,CloseHandle, 0_2_001810BF
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_001816C3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_003210BF AdjustTokenPrivileges,CloseHandle, 6_2_003210BF
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_003216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 6_2_003216C3
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_001951CD
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001AA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_001AA67C
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0019648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0019648E
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_001242A2
Source: C:\Users\user\Desktop\PsBygexGwH.exe File created: C:\Users\user\AppData\Local\directory Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\PsBygexGwH.exe File created: C:\Users\user\AppData\Local\Temp\aut1009.tmp Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: PsBygexGwH.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegSvcs.exe, 00000007.00000002.4088699250.000000000279A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.4088699250.000000000278A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002A3D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002A5B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.4089048869.0000000002A4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: PsBygexGwH.exe ReversingLabs: Detection: 65%
Source: PsBygexGwH.exe Virustotal: Detection: 70%
Source: C:\Users\user\Desktop\PsBygexGwH.exe File read: C:\Users\user\Desktop\PsBygexGwH.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PsBygexGwH.exe "C:\Users\user\Desktop\PsBygexGwH.exe"
Source: C:\Users\user\Desktop\PsBygexGwH.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\PsBygexGwH.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PsBygexGwH.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\Desktop\PsBygexGwH.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\PsBygexGwH.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PsBygexGwH.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: PsBygexGwH.exe Static file information: File size 1130496 > 1048576
Source: PsBygexGwH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PsBygexGwH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PsBygexGwH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PsBygexGwH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PsBygexGwH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PsBygexGwH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: PsBygexGwH.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: name.exe, 00000006.00000003.2997844990.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2997193126.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3128087132.0000000004290000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3129130563.0000000004120000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: name.exe, 00000006.00000003.2997844990.0000000003E00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2997193126.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3128087132.0000000004290000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000009.00000003.3129130563.0000000004120000.00000004.00001000.00020000.00000000.sdmp
Source: PsBygexGwH.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PsBygexGwH.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PsBygexGwH.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PsBygexGwH.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PsBygexGwH.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_001242DE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00140A76 push ecx; ret 0_2_00140A89
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E0A76 push ecx; ret 6_2_002E0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_008E9770 push esp; ret 7_2_008E9771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F7234A push edx; ret 7_2_04F7234B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 10_2_00AF9770 push esp; ret 10_2_00AF9771
Drops PE files
Source: C:\Users\user\Desktop\PsBygexGwH.exe File created: C:\Users\user\AppData\Local\directory\name.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0013F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_0013F98E
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001B1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_001B1C41
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 6_2_002DF98E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00351C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 6_2_00351C41
Source: C:\Users\user\Desktop\PsBygexGwH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\PsBygexGwH.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\AppData\Local\directory\name.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002CD010 rdtsc 6_2_002CD010
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599721 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594279 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594158 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598686 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598577 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597921 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597262 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595951 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595296 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594830 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594593 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1835 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7995 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 8620 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1231 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PsBygexGwH.exe API coverage: 4.0 %
Source: C:\Users\user\AppData\Local\directory\name.exe API coverage: 4.2 %
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0018DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0018DBBE
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001968EE FindFirstFileW,FindClose, 0_2_001968EE
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0019698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_0019698F
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0018D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0018D076
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0018D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0018D3A9
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00199642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00199642
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0019979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0019979D
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00199B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00199B2B
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00195C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00195C97
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0032DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 6_2_0032DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_003368EE FindFirstFileW,FindClose, 6_2_003368EE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0033698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 6_2_0033698F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0032D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_0032D076
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0032D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_0032D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00339642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00339642
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0033979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_0033979D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00339B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 6_2_00339B2B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00335C97 FindFirstFileW,FindNextFileW,FindClose, 6_2_00335C97
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_001242DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599721 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599266 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594279 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594158 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598686 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598577 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597921 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597262 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595951 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595296 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594830 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594593 Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: RegSvcs.exe, 0000000A.00000002.4088550668.0000000000B58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll81
Source: PsBygexGwH.exe, 00000000.00000003.1624604950.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, PsBygexGwH.exe, 00000000.00000002.2976091390.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2976079470.000000000176E000.00000004.00000020.00020000.00000000.sdmp, name.exe, 00000009.00000003.3106831071.0000000001C5D000.00000004.00000020.00020000.00000000.sdmp, troopwise.0.dr Binary or memory string: GL9=6HGFS
Source: wscript.exe, 00000008.00000002.3105555476.0000012C6D816000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegSvcs.exe, 00000007.00000002.4087601813.00000000007EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002CD010 Start: 002CD039 End: 002CD029 6_2_002CD010
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002CD010 rdtsc 6_2_002CD010
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_04F77BA8 LdrInitializeThunk, 7_2_04F77BA8
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0019EAA2 BlockInput, 0_2_0019EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00152622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00152622
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_001242DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00144CE8 mov eax, dword ptr fs:[00000030h] 0_2_00144CE8
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_023C3650 mov eax, dword ptr fs:[00000030h] 0_2_023C3650
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_023C36B0 mov eax, dword ptr fs:[00000030h] 0_2_023C36B0
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_023C1ED0 mov eax, dword ptr fs:[00000030h] 0_2_023C1ED0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E4CE8 mov eax, dword ptr fs:[00000030h] 6_2_002E4CE8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_039036B0 mov eax, dword ptr fs:[00000030h] 6_2_039036B0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_03903650 mov eax, dword ptr fs:[00000030h] 6_2_03903650
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_03901ED0 mov eax, dword ptr fs:[00000030h] 6_2_03901ED0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 9_2_03D43650 mov eax, dword ptr fs:[00000030h] 9_2_03D43650
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 9_2_03D41ED0 mov eax, dword ptr fs:[00000030h] 9_2_03D41ED0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 9_2_03D436B0 mov eax, dword ptr fs:[00000030h] 9_2_03D436B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00180B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00180B62
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00152622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00152622
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0014083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0014083F
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001409D5 SetUnhandledExceptionFilter, 0_2_001409D5
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00140C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00140C21
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_002F2622
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_002E083F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E09D5 SetUnhandledExceptionFilter, 6_2_002E09D5
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_002E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_002E0C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\directory\name.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 25D008 Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 60F008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00181201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00181201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00162BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00162BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0018B226 SendInput,keybd_event, 0_2_0018B226
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001A22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 0_2_001A22DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PsBygexGwH.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00180B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00180B62
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00181663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00181663
Source: PsBygexGwH.exe, name.exe.0.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PsBygexGwH.exe, name.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00140698 cpuid 0_2_00140698
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_00198195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 0_2_00198195
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0017D27A GetUserNameW, 0_2_0017D27A
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_0015BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_0015BB6F
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_001242DE
Source: C:\Users\user\Desktop\PsBygexGwH.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3844, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: name.exe Binary or memory string: WIN_81
Source: name.exe Binary or memory string: WIN_XP
Source: name.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: name.exe Binary or memory string: WIN_XPe
Source: name.exe Binary or memory string: WIN_VISTA
Source: name.exe Binary or memory string: WIN_7
Source: name.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3844, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 9.2.name.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.3910000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.name.exe.3910000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.name.exe.40c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3000550046.0000000003910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4087333000.0000000000579000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4089048869.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3132403905.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4088699250.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 3052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 4556, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3844, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001A1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_001A1204
Source: C:\Users\user\Desktop\PsBygexGwH.exe Code function: 0_2_001A1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_001A1806
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00341204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 6_2_00341204
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00341806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 6_2_00341806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1422242 Sample: PsBygexGwH.exe Startdate: 08/04/2024 Architecture: WINDOWS Score: 100 32 checkip.dyndns.org 2->32 34 scratchdreams.tk 2->34 36 2 other IPs or domains 2->36 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 8 other signatures 2->50 8 PsBygexGwH.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\name.exe, PE32 8->26 dropped 28 C:\Users\user\AppData\Local\Temp\troopwise, MIPSEB 8->28 dropped 56 Binary is likely a compiled AutoIt script file 8->56 58 Found API chain indicative of sandbox detection 8->58 14 name.exe 3 8->14         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 18 name.exe 2 12->18         started        signatures6 process7 file8 30 C:\Users\user\AppData\Roaming\...\name.vbs, data 14->30 dropped 62 Binary is likely a compiled AutoIt script file 14->62 64 Machine Learning detection for dropped file 14->64 66 Drops VBS files to the startup folder 14->66 72 2 other signatures 14->72 20 RegSvcs.exe 15 2 14->20         started        68 Writes to foreign memory regions 18->68 70 Maps a DLL or memory area into another process 18->70 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 38 checkip.dyndns.com 158.101.44.242, 49737, 49740, 49742 ORACLE-BMC-31898US United States 20->38 40 scratchdreams.tk 104.21.27.85, 443, 49752, 49768 CLOUDFLARENETUS United States 20->40 42 reallyfreegeoip.org 172.67.177.134, 443, 49738, 49739 CLOUDFLARENETUS United States 20->42 52 Tries to steal Mail credentials (via file / registry access) 24->52 54 Tries to harvest and steal browser information (history, passwords, etc) 24->54 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
172.67.177.134
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
104.21.27.85
 scratchdreams.tk United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 172.67.177.134 true
scratchdreams.tk 104.21.27.85 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://scratchdreams.tk/_send_.php?TS false
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://reallyfreegeoip.org/xml/102.129.152.231 false
  • Avira URL Cloud: safe
 unknown