Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BANK FORM_pdf.exe

Overview

General Information

Sample name:BANK FORM_pdf.exe
Analysis ID:1596648
MD5:c43bb9c643319aaa0974682d7189076f
SHA1:fa474609fa251fae5f5716694e5b43f4bbe2fc92
SHA256:a53c112481f03e65d715114bdd8409f7f56e5b555a22d2f4faf3731b8b9717b0
Tags:exeuser-lowmal3
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BANK FORM_pdf.exe (PID: 1372 cmdline: "C:\Users\user\Desktop\BANK FORM_pdf.exe" MD5: C43BB9C643319AAA0974682D7189076F)
    • RegSvcs.exe (PID: 4204 cmdline: "C:\Users\user\Desktop\BANK FORM_pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7756640782:AAGnFu3e4jddvj5TE8bEBVB_3c_4DP5vedk", "Telegram Chatid": "6070433873"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xf1df:$a1: get_encryptedPassword
        • 0xf507:$a2: get_encryptedUsername
        • 0xef7a:$a3: get_timePasswordChanged
        • 0xf09b:$a4: get_passwordField
        • 0xf1f5:$a5: set_encryptedPassword
        • 0x10b51:$a7: get_logins
        • 0x10802:$a8: GetOutlookPasswords
        • 0x105f4:$a9: StartKeylogger
        • 0x10aa1:$a10: KeyLoggerEventArgs
        • 0x10651:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data
        • 0x13997:$a4: \Orbitum\User Data\Default\Login Data
        • 0x1478f:$a5: \Kometa\User Data\Default\Login Data
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.BANK FORM_pdf.exe.4290000.1.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          0.2.BANK FORM_pdf.exe.4290000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.BANK FORM_pdf.exe.4290000.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              0.2.BANK FORM_pdf.exe.4290000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0xd3df:$a1: get_encryptedPassword
              • 0xd707:$a2: get_encryptedUsername
              • 0xd17a:$a3: get_timePasswordChanged
              • 0xd29b:$a4: get_passwordField
              • 0xd3f5:$a5: set_encryptedPassword
              • 0xed51:$a7: get_logins
              • 0xea02:$a8: GetOutlookPasswords
              • 0xe7f4:$a9: StartKeylogger
              • 0xeca1:$a10: KeyLoggerEventArgs
              • 0xe851:$a11: KeyLoggerEventArgsEventHandler
              0.2.BANK FORM_pdf.exe.4290000.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x11b97:$a4: \Orbitum\User Data\Default\Login Data
              • 0x1298f:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 10 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-22T09:47:13.560147+010028032742Potentially Bad Traffic192.168.2.549704132.226.8.16980TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000002.00000002.3381640583.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7756640782:AAGnFu3e4jddvj5TE8bEBVB_3c_4DP5vedk", "Telegram Chatid": "6070433873"}
              Multi AV Scanner detection for submitted file
              Source: BANK FORM_pdf.exeReversingLabs: Detection: 18%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
              Machine Learning detection for sample
              Source: BANK FORM_pdf.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: BANK FORM_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49705 version: TLS 1.0
              Source: Binary string: wntdll.pdbUGP source: BANK FORM_pdf.exe, 00000000.00000003.2145786228.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, BANK FORM_pdf.exe, 00000000.00000003.2148021710.0000000004470000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: BANK FORM_pdf.exe, 00000000.00000003.2145786228.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, BANK FORM_pdf.exe, 00000000.00000003.2148021710.0000000004470000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00B360DD
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00B363F9
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B3EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B3EB60
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B36CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B36CA9
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B3F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00B3F5FA
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B3F56F FindFirstFileW,FindClose,0_2_00B3F56F
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B41B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B41B2F
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B41C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B41C8A
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B41F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B41F94
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02AB5782h2_2_02AB5358
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02AB51B9h2_2_02AB4F08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02AB5782h2_2_02AB56AF
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
              Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
              Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.8.169:80
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49705 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B44EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00B44EB5
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comh
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002D3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
              Source: BANK FORM_pdf.exe, 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002D6D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: BANK FORM_pdf.exe, 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: BANK FORM_pdf.exe, 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B46B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B46B0C
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B46D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00B46D07
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B46B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B46B0C
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B32B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00B32B37
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B5F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B5F7FF

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: BANK FORM_pdf.exe PID: 1372, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_00AF3D19
              Source: BANK FORM_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: BANK FORM_pdf.exe, 00000000.00000002.2149413557.0000000000B9E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c1d3c70d-e
              Source: BANK FORM_pdf.exe, 00000000.00000002.2149413557.0000000000B9E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_47da9bba-9
              Source: BANK FORM_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c7ac0136-9
              Source: BANK FORM_pdf.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_200f49bd-0
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: BANK FORM_pdf.exe
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B36685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00B36685
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B2ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00B2ACC5
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B379D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00B379D3
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B03B700_2_00B03B70
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B2410F0_2_00B2410F
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B102A40_2_00B102A4
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AFE3B00_2_00AFE3B0
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B2038E0_2_00B2038E
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B106D90_2_00B106D9
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B2467F0_2_00B2467F
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B5AACE0_2_00B5AACE
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B24BEF0_2_00B24BEF
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B1CCC10_2_00B1CCC1
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AF6F070_2_00AF6F07
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AFAF500_2_00AFAF50
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B1B0430_2_00B1B043
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B1D1B90_2_00B1D1B9
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B531BC0_2_00B531BC
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B0B11F0_2_00B0B11F
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B1123A0_2_00B1123A
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B032000_2_00B03200
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B2724D0_2_00B2724D
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AF93F00_2_00AF93F0
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B313CA0_2_00B313CA
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B0F5630_2_00B0F563
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AF96C00_2_00AF96C0
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B3B6CC0_2_00B3B6CC
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AF77B00_2_00AF77B0
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B5F7FF0_2_00B5F7FF
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B279C90_2_00B279C9
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B0FA570_2_00B0FA57
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AF9B600_2_00AF9B60
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AF7D190_2_00AF7D19
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B19ED00_2_00B19ED0
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B0FE6F0_2_00B0FE6F
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AF7FA30_2_00AF7FA3
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_01BAE0300_2_01BAE030
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02ABC1682_2_02ABC168
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02ABA7D22_2_02ABA7D2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02ABCAB02_2_02ABCAB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02AB7E682_2_02AB7E68
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02AB4F082_2_02AB4F08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02AB2DD12_2_02AB2DD1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02ABCAAF2_2_02ABCAAF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02ABB9E02_2_02ABB9E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02ABB9DC2_2_02ABB9DC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02AB4EF82_2_02AB4EF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02AB7E672_2_02AB7E67
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: String function: 00B1F8A0 appears 35 times
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: String function: 00B0EC2F appears 68 times
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: String function: 00B16AC0 appears 42 times
              Source: BANK FORM_pdf.exe, 00000000.00000003.2146869586.00000000043D3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BANK FORM_pdf.exe
              Source: BANK FORM_pdf.exe, 00000000.00000003.2147020367.000000000457D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BANK FORM_pdf.exe
              Source: BANK FORM_pdf.exe, 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs BANK FORM_pdf.exe
              Source: BANK FORM_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: BANK FORM_pdf.exe PID: 1372, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B3CE7A GetLastError,FormatMessageW,0_2_00B3CE7A
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B2AB84 AdjustTokenPrivileges,CloseHandle,0_2_00B2AB84
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B2B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00B2B134
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B3E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00B3E1FD
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B36532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00B36532
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B4C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_00B4C18C
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AF406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00AF406B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\maneuverabilityJump to behavior
              Source: BANK FORM_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RegSvcs.exe, 00000002.00000002.3381640583.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3381640583.0000000002DEF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3382242213.0000000003CFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3381640583.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3381640583.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3381640583.0000000002DB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: BANK FORM_pdf.exeReversingLabs: Detection: 18%
              Source: unknownProcess created: C:\Users\user\Desktop\BANK FORM_pdf.exe "C:\Users\user\Desktop\BANK FORM_pdf.exe"
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\BANK FORM_pdf.exe"
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\BANK FORM_pdf.exe"Jump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: BANK FORM_pdf.exeStatic file information: File size 1138688 > 1048576
              Source: BANK FORM_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: BANK FORM_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: BANK FORM_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: BANK FORM_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: BANK FORM_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: BANK FORM_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: BANK FORM_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: wntdll.pdbUGP source: BANK FORM_pdf.exe, 00000000.00000003.2145786228.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, BANK FORM_pdf.exe, 00000000.00000003.2148021710.0000000004470000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: BANK FORM_pdf.exe, 00000000.00000003.2145786228.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, BANK FORM_pdf.exe, 00000000.00000003.2148021710.0000000004470000.00000004.00001000.00020000.00000000.sdmp
              Source: BANK FORM_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: BANK FORM_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: BANK FORM_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: BANK FORM_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: BANK FORM_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B0E01E LoadLibraryA,GetProcAddress,0_2_00B0E01E
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B16B05 push ecx; ret 0_2_00B16B18
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B58111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B58111
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B0EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B0EB42
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B1123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B1123A
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeAPI/Special instruction interceptor: Address: 1BADC54
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: BANK FORM_pdf.exe, 00000000.00000002.2150014153.0000000001A04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeAPI coverage: 4.0 %
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_00B360DD
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_00B363F9
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B3EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B3EB60
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B36CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B36CA9
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B3F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00B3F5FA
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B3F56F FindFirstFileW,FindClose,0_2_00B3F56F
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B41B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B41B2F
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B41C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B41C8A
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B41F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B41F94
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B0DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B0DDC0
              Source: BANK FORM_pdf.exe, 00000000.00000002.2150048037.0000000001A3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
              Source: RegSvcs.exe, 00000002.00000002.3380140164.0000000000F86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-94602
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02ABC168 LdrInitializeThunk,LdrInitializeThunk,2_2_02ABC168
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B46AAF BlockInput,0_2_00B46AAF
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AF3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AF3D19
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B23920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00B23920
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B0E01E LoadLibraryA,GetProcAddress,0_2_00B0E01E
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_01BAC840 mov eax, dword ptr fs:[00000030h]0_2_01BAC840
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_01BADF20 mov eax, dword ptr fs:[00000030h]0_2_01BADF20
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_01BADEC0 mov eax, dword ptr fs:[00000030h]0_2_01BADEC0
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B2A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00B2A66C
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B181AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B181AC
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B18189 SetUnhandledExceptionFilter,0_2_00B18189
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
              Source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B1C008Jump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B2B106 LogonUserW,0_2_00B2B106
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00AF3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AF3D19
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B3411C SendInput,keybd_event,0_2_00B3411C
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B374BB mouse_event,0_2_00B374BB
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\BANK FORM_pdf.exe"Jump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B2A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00B2A66C
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B371FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00B371FA
              Source: BANK FORM_pdf.exeBinary or memory string: Shell_TrayWnd
              Source: BANK FORM_pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B165C4 cpuid 0_2_00B165C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B4091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_00B4091D
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B6B340 GetUserNameW,0_2_00B6B340
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B21E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00B21E8E
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B0DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B0DDC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected MassLogger RAT
              Source: Yara matchFile source: 0.2.BANK FORM_pdf.exe.4290000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BANK FORM_pdf.exe PID: 1372, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
              Yara detected Telegram RAT
              Source: Yara matchFile source: 0.2.BANK FORM_pdf.exe.4290000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BANK FORM_pdf.exe PID: 1372, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: BANK FORM_pdf.exeBinary or memory string: WIN_81
              Source: BANK FORM_pdf.exeBinary or memory string: WIN_XP
              Source: BANK FORM_pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
              Source: BANK FORM_pdf.exeBinary or memory string: WIN_XPe
              Source: BANK FORM_pdf.exeBinary or memory string: WIN_VISTA
              Source: BANK FORM_pdf.exeBinary or memory string: WIN_7
              Source: BANK FORM_pdf.exeBinary or memory string: WIN_8
              Source: Yara matchFile source: 0.2.BANK FORM_pdf.exe.4290000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3381640583.0000000002E26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BANK FORM_pdf.exe PID: 1372, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected MassLogger RAT
              Source: Yara matchFile source: 0.2.BANK FORM_pdf.exe.4290000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BANK FORM_pdf.exe PID: 1372, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
              Yara detected Telegram RAT
              Source: Yara matchFile source: 0.2.BANK FORM_pdf.exe.4290000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.BANK FORM_pdf.exe.4290000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: BANK FORM_pdf.exe PID: 1372, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B48C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00B48C4F
              Source: C:\Users\user\Desktop\BANK FORM_pdf.exeCode function: 0_2_00B4923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00B4923B

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		11
              Native API              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job2
              Valid Accounts              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		121
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
              Valid Accounts              		3
              Obfuscated Files or Information              		Security Account Manager1
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
              Access Token Manipulation              		1
              DLL Side-Loading              		NTDS127
              System Information Discovery              		Distributed Component Object Model121
              Input Capture              		13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
              Process Injection              		2
              Valid Accounts              		LSA Secrets231
              Security Software Discovery              		SSH3
              Clipboard Data              		Fallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
              Access Token Manipulation              		Cached Domain Credentials2
              Process Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items212
              Process Injection              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Owner/User Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Network Configuration Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              BANK FORM_pdf.exe18%ReversingLabs
              BANK FORM_pdf.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://checkip.dyndns.comh0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              reallyfreegeoip.org
              		104.21.96.1
              		truefalse
                		high
                checkip.dyndns.com
                		132.226.8.169
                		truefalse
                  		high
                  checkip.dyndns.org
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://checkip.dyndns.org/false
                      		high
                      https://reallyfreegeoip.org/xml/8.46.123.189false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189lRegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://checkip.dyndns.comdRegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://checkip.dyndns.comhRegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://checkip.dyndns.org/qBANK FORM_pdf.exe, 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                              		high
                              http://reallyfreegeoip.orgdRegSvcs.exe, 00000002.00000002.3381640583.0000000002D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://reallyfreegeoip.org/xml/8.46.123.189dRegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.3381640583.0000000002D6D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://checkip.dyndns.orgdRegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.3381640583.0000000002D3E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.comRegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.org/dRegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.3381640583.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.telegram.org/bot-/sendDocument?chat_id=BANK FORM_pdf.exe, 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://reallyfreegeoip.org/xml/BANK FORM_pdf.exe, 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3381640583.0000000002D50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    132.226.8.169
                                                    		checkip.dyndns.comUnited States
                                                    		16989UTMEMUSfalse
                                                    104.21.96.1
                                                    		reallyfreegeoip.orgUnited States
                                                    		13335CLOUDFLARENETUSfalse

                                                    General Information

                                                    Joe Sandbox version:42.0.0 Malachite
                                                    Analysis ID:1596648
                                                    Start date and time:2025-01-22 09:46:07 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 6m 13s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:5
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:BANK FORM_pdf.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 43
                                                    • Number of non-executed functions: 303
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.44, 172.202.163.200
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    No simulations

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    132.226.8.169sz#U00e1mla kiegyenl#U00edt#U00e9se fizet#U00e9shez 2025. janu#U00e1r 20.xlsx.exeGet hashmaliciousMassLogger RATBrowse
                                                    • checkip.dyndns.org/
                                                    NEW ORDER 2421000912.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    Ship informations_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                    • checkip.dyndns.org/
                                                    z1NewPO4504193294.exeGet hashmaliciousMassLogger RATBrowse
                                                    • checkip.dyndns.org/
                                                    Scanned_copyLg562#.exeGet hashmaliciousMassLogger RATBrowse
                                                    • checkip.dyndns.org/
                                                    OUTSTANDING PAYMENT REQUEST.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    CL JIUJIANG VESSEL & CARGO DETAILS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                    • checkip.dyndns.org/
                                                    Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    80 Statement of accounts as of Sep 11 2024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • checkip.dyndns.org/
                                                    PAYMENT SLIP.exeGet hashmaliciousMassLogger RATBrowse
                                                    • checkip.dyndns.org/
                                                    104.21.96.1CV-Elena-Alba-Garcia.exeGet hashmaliciousFormBookBrowse
                                                    • www.cheapwil.shop/ekxu/
                                                    Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                    • www.shlomi.app/378r/
                                                    Payment Slip rar.exeGet hashmaliciousFormBookBrowse
                                                    • www.enoughmoney.online/ttkm/
                                                    ZPM AUGUST 24 BCK.exeGet hashmaliciousBrontokBrowse
                                                    • www.20mbweb.com/Kids/dbrosji/Host18.css
                                                    k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                    • www.uzshou.world/kbd2/?EtJTX=_JVX4ryxDRQpLJF&cNPH=ufZ7RYF4yLxNXVSq5Vx/4TYieRbcnKjskkbM3L5RbgB1pAgqHA7sfCNkYWLyXRMMwBB3JLbYKUw1FAOWml6VLpxPVZ4qXf58MsNUIQgw/PJ5HUGIvLQvrl5frN9PrRFpPiAd2cDcH6Sr
                                                    gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                    • www.dejikenkyu.cyou/58m5/
                                                    EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                    • www.mffnow.info/0pqe/
                                                    zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                    • www.aonline.top/fqlg/
                                                    QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                    • www.mzkd6gp5.top/3u0p/
                                                    SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                    • pelisplus.so/administrator/index.php

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    reallyfreegeoip.orgMTNP240444042266.exeGet hashmaliciousReverseShell, Snake KeyloggerBrowse
                                                    • 104.21.96.1
                                                    PO1234.001.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 104.21.96.1
                                                    Ref50102607UUU.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 104.21.48.1
                                                    Payment Error.cmd.exeGet hashmaliciousReverseShell, Snake KeyloggerBrowse
                                                    • 104.21.16.1
                                                    IMG_50117302.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 104.21.48.1
                                                    Remittance Copy.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 104.21.32.1
                                                    Annual Leave sheet 2025.vbsGet hashmaliciousMassLogger RATBrowse
                                                    • 104.21.32.1
                                                    Halkbank Ekstre.pdf.exeGet hashmaliciousReverseShell, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 104.21.112.1
                                                    sz#U00e1mla kiegyenl#U00edt#U00e9se fizet#U00e9shez 2025. janu#U00e1r 20.xlsx.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 104.21.16.1
                                                    New Order 22012025-pdf.com.exeGet hashmaliciousReverseShell, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 104.21.80.1
                                                    checkip.dyndns.comMTNP240444042266.exeGet hashmaliciousReverseShell, Snake KeyloggerBrowse
                                                    • 193.122.130.0
                                                    PO1234.001.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 158.101.44.242
                                                    Ref50102607UUU.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 193.122.6.168
                                                    Payment Error.cmd.exeGet hashmaliciousReverseShell, Snake KeyloggerBrowse
                                                    • 132.226.247.73
                                                    IMG_50117302.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 193.122.130.0
                                                    Remittance Copy.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 158.101.44.242
                                                    Annual Leave sheet 2025.vbsGet hashmaliciousMassLogger RATBrowse
                                                    • 193.122.6.168
                                                    Halkbank Ekstre.pdf.exeGet hashmaliciousReverseShell, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 158.101.44.242
                                                    sz#U00e1mla kiegyenl#U00edt#U00e9se fizet#U00e9shez 2025. janu#U00e1r 20.xlsx.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 132.226.8.169
                                                    New Order 22012025-pdf.com.exeGet hashmaliciousReverseShell, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 132.226.247.73

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    UTMEMUSPO1234.001.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 132.226.247.73
                                                    Payment Error.cmd.exeGet hashmaliciousReverseShell, Snake KeyloggerBrowse
                                                    • 132.226.247.73
                                                    sz#U00e1mla kiegyenl#U00edt#U00e9se fizet#U00e9shez 2025. janu#U00e1r 20.xlsx.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 132.226.8.169
                                                    New Order 22012025-pdf.com.exeGet hashmaliciousReverseShell, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 132.226.247.73
                                                    PO202501F.exeGet hashmaliciousReverseShell, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 132.226.247.73
                                                    PURCHASE-000927736615551143.cmd.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                    • 132.226.247.73
                                                    NEW ORDER 2421000912.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 132.226.8.169
                                                    NEW ORDER HD_FORD_000003.jsGet hashmaliciousMassLogger RATBrowse
                                                    • 132.226.247.73
                                                    MV ANNA SCHULTE.exeGet hashmaliciousSnake KeyloggerBrowse
                                                    • 132.226.247.73
                                                    Revised Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 132.226.247.73
                                                    CLOUDFLARENETUSMTNP240444042266.exeGet hashmaliciousReverseShell, Snake KeyloggerBrowse
                                                    • 104.21.96.1
                                                    u.ps1Get hashmaliciousUnknownBrowse
                                                    • 172.67.138.93
                                                    TT Copy.rar.exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.64.1
                                                    jhdfer3s_jh3de.exeGet hashmaliciousUnknownBrowse
                                                    • 104.26.7.214
                                                    jhdfer3s_jh3de.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.64.1
                                                    20252201_pdf.htmlGet hashmaliciousUnknownBrowse
                                                    • 104.17.25.14
                                                    http://www.nhtfxq.blogspot.ie/Get hashmaliciousPhisherBrowse
                                                    • 172.67.222.219
                                                    3y6C4vm3To.exeGet hashmaliciousUnknownBrowse
                                                    • 172.64.41.3
                                                    http://sahadayiz.com.tr/tec/les/K82cqkpomPEEC3lMMcYg4Gph6AcNsuj8uKaZh/anJvZmVAYmVsbHBvdHRlci5jb20uYXU=Get hashmaliciousHTMLPhisherBrowse
                                                    • 104.18.95.41
                                                    https://duskrise.shop/Get hashmaliciousUnknownBrowse
                                                    • 104.16.123.96

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    54328bd36c14bd82ddaa0c04b25ed9adMTNP240444042266.exeGet hashmaliciousReverseShell, Snake KeyloggerBrowse
                                                    • 104.21.96.1
                                                    VXB84UvyHp.exeGet hashmaliciousRedLineBrowse
                                                    • 104.21.96.1
                                                    PO1234.001.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 104.21.96.1
                                                    Ref50102607UUU.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 104.21.96.1
                                                    Payment Error.cmd.exeGet hashmaliciousReverseShell, Snake KeyloggerBrowse
                                                    • 104.21.96.1
                                                    IMG_50117302.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 104.21.96.1
                                                    Remittance Copy.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 104.21.96.1
                                                    Halkbank Ekstre.pdf.exeGet hashmaliciousReverseShell, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 104.21.96.1
                                                    sz#U00e1mla kiegyenl#U00edt#U00e9se fizet#U00e9shez 2025. janu#U00e1r 20.xlsx.exeGet hashmaliciousMassLogger RATBrowse
                                                    • 104.21.96.1
                                                    New Order 22012025-pdf.com.exeGet hashmaliciousReverseShell, Snake Keylogger, VIP KeyloggerBrowse
                                                    • 104.21.96.1

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\maneuverability

                                                    Download File
                                                    Process:C:\Users\user\Desktop\BANK FORM_pdf.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):93696
                                                    Entropy (8bit):6.884041569810106
                                                    Encrypted:false
                                                    SSDEEP:1536:5oUyY0s8bmFrLfJc9JjU4vsq2pwgpCtbT4Lr/MMK14M8JewP0nmD97R:XydRCVf6/jU4vsq2pHpCtbELLV0mRR
                                                    MD5:38329C87FC8D1867419088704EC71414
                                                    SHA1:3D6162EF5ABC2CFD11F13C1A4A455BAB110DC2B3
                                                    SHA-256:3DB7B5CEE8AD423AB1FCD1546D4C5FC3A479A8445E9EC28C39D1C6BA19F6EECA
                                                    SHA-512:A2A9DC398E2BC7EEB2E4B7E4F002425208186B6345A3FB00463E44D94FDADA93FF939F41B3F6E9D1B4C706139B30E1CC01F5A6E1ACD1507E8A3FEE3751D1209A
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:...KQFLDRX1C..CH.VMV6F05.IOKRFLDVX1CDACHXVMV6F05SIOKRFLDVX1C.ACHVI.X6.9.r.N..g.,?+.36.$:9;m5W(^Z'i-.r49*v1_c...h59)3.K=?wIOKRFLD..1C.@@H.8..6F05SIOK.FNE]YaCD%BHX^MV6F05..NKRfLDV.0CDA.HXvMV6D05WIOKRFLDPX1CDACHX.LV6D05SIOKPF,.VX!CDQCHXV]V6V05SIOKBFLDVX1CDACH..LV}F05S.NK.CLDVX1CDACHXVMV6F05S.NK^FLDVX1CDACHXVMV6F05SIOKRFLDVX1CDACHXVMV6F05SIOKRFLDVx1CLACHXVMV6F05[iOK.FLDVX1CDACHv"(.BF05.+NKRfLDV<0CDCCHXVMV6F05SIOKrFL$x*B1'ACH.SMV6.15SOOKR MDVX1CDACHXVMVvF0u};*'=%LDZX1CD.BHXTMV6*15SIOKRFLDVX1C.AC.XVMV6F05SIOKRFLD..0CDACH.VMV4F55/.OK..LDUX1C.ACN..MV.F05SIOKRFLDVX1CDACHXVMV6F05SIOKRFLDVX1CDACH.+.Y...\ .KRFLDVY3@@GK@XVMV6F05-IOK.FLD.X1CsACH}VMV[F05wIOK,FLD(X1C ACH*VMVWF05.IOK=FLD8X1C:ACHFTeI6F:.uIMcrFLNVr.0eACB.WMV25.5SC.IRFH7uX1I.BCH\%iV6L.1SIK8wFLN.]1C@k.H[.[P6F+ZkIOARE.QPX1XngCJpoMV<F..SJ.^TFL_|z1A.HCH\|.%+F03{.OKX2EDVZ.IDAGbFTe.6F:.q7\KRBgD|zOWDAGcX|o(#F01xIei,PLDRs1if?THXRfV.@.WS;.GR6O+7X1El.CHR~.V6@0.iI1ERFHF9.1CNgirX~.V6@0..IOMRl.D(k1C@mD6kVMR.PN.SIK.T>LDP+.CDKf.kVMR..05YIe.Rn.DV^1k.ACN

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.058313631962381
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:BANK FORM_pdf.exe
                                                    File size:1'138'688 bytes
                                                    MD5:c43bb9c643319aaa0974682d7189076f
                                                    SHA1:fa474609fa251fae5f5716694e5b43f4bbe2fc92
                                                    SHA256:a53c112481f03e65d715114bdd8409f7f56e5b555a22d2f4faf3731b8b9717b0
                                                    SHA512:d8f85dcf1a88ecad2717418a5b987f56d57794ba85bf26cdc6e7898f5c25b7845763b891e6d281a6c709f46d7df868da4480a0696d126c0dabea5f4c8101b1dd
                                                    SSDEEP:24576:btb20pkaCqT5TBWgNQ7a1LZ50yNaJpTJggj6A:YVg5tQ7a1LrYFZ5
                                                    TLSH:0F35CF1363DDC365C3B25273BA65B701BEBB782506A5F96B2FD4093DE820122521EB73
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                    File Icon

                                                    Icon Hash:aaf3e3e3938382a0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x425f74
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x679051D6 [Wed Jan 22 02:03:02 2025 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:1
                                                    File Version Major:5
                                                    File Version Minor:1
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:1
                                                    Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007F3448C2537Fh
                                                    jmp 00007F3448C18394h
                                                    int3
                                                    int3
                                                    push edi
                                                    push esi
                                                    mov esi, dword ptr [esp+10h]
                                                    mov ecx, dword ptr [esp+14h]
                                                    mov edi, dword ptr [esp+0Ch]
                                                    mov eax, ecx
                                                    mov edx, ecx
                                                    add eax, esi
                                                    cmp edi, esi
                                                    jbe 00007F3448C1851Ah
                                                    cmp edi, eax
                                                    jc 00007F3448C1887Eh
                                                    bt dword ptr [004C0158h], 01h
                                                    jnc 00007F3448C18519h
                                                    rep movsb
                                                    jmp 00007F3448C1882Ch
                                                    cmp ecx, 00000080h
                                                    jc 00007F3448C186E4h
                                                    mov eax, edi
                                                    xor eax, esi
                                                    test eax, 0000000Fh
                                                    jne 00007F3448C18520h
                                                    bt dword ptr [004BA370h], 01h
                                                    jc 00007F3448C189F0h
                                                    bt dword ptr [004C0158h], 00000000h
                                                    jnc 00007F3448C186BDh
                                                    test edi, 00000003h
                                                    jne 00007F3448C186CEh
                                                    test esi, 00000003h
                                                    jne 00007F3448C186ADh
                                                    bt edi, 02h
                                                    jnc 00007F3448C1851Fh
                                                    mov eax, dword ptr [esi]
                                                    sub ecx, 04h
                                                    lea esi, dword ptr [esi+04h]
                                                    mov dword ptr [edi], eax
                                                    lea edi, dword ptr [edi+04h]
                                                    bt edi, 03h
                                                    jnc 00007F3448C18523h
                                                    movq xmm1, qword ptr [esi]
                                                    sub ecx, 08h
                                                    lea esi, dword ptr [esi+08h]
                                                    movq qword ptr [edi], xmm1
                                                    lea edi, dword ptr [edi+08h]
                                                    test esi, 00000007h
                                                    je 00007F3448C18575h
                                                    bt esi, 03h
                                                    jnc 00007F3448C185C8h
                                                    movdqa xmm1, dqword ptr [esi+00h]

                                                    Rich Headers

                                                    Programming Language:
                                                    • [ C ] VS2008 SP1 build 30729
                                                    • [IMP] VS2008 SP1 build 30729
                                                    • [ASM] VS2012 UPD4 build 61030
                                                    • [RES] VS2012 UPD4 build 61030
                                                    • [LNK] VS2012 UPD4 build 61030

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x4ce10.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1110000x6c4c.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0xc40000x4ce100x4d000e47542d9682c1a956ae9e9699238bae5False0.913872260551948data7.864554733242821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1110000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                    RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                    RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                    RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                    RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                    RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                    RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                    RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                    RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                    RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                    RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                    RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                    RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                    RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                    RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                    RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                    RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                    RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                    RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                    RT_RCDATA0xcc7b80x44116data1.0003443254449331
                                                    RT_GROUP_ICON0x1108d00x76dataEnglishGreat Britain0.6610169491525424
                                                    RT_GROUP_ICON0x1109480x14dataEnglishGreat Britain1.25
                                                    RT_GROUP_ICON0x11095c0x14dataEnglishGreat Britain1.15
                                                    RT_GROUP_ICON0x1109700x14dataEnglishGreat Britain1.25
                                                    RT_VERSION0x1109840xdcdataEnglishGreat Britain0.6181818181818182
                                                    RT_MANIFEST0x110a600x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                    Imports

                                                    DLLImport
                                                    WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                    COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                    WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                    PSAPI.DLLGetProcessMemoryInfo
                                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                    USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                    UxTheme.dllIsThemeActive
                                                    KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                    USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                    GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                    ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                    OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishGreat Britain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2025-01-22T09:47:13.560147+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704132.226.8.16980TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 22, 2025 09:47:12.067945004 CET4970480192.168.2.5132.226.8.169
                                                    Jan 22, 2025 09:47:12.072968006 CET8049704132.226.8.169192.168.2.5
                                                    Jan 22, 2025 09:47:12.073206902 CET4970480192.168.2.5132.226.8.169
                                                    Jan 22, 2025 09:47:12.074120045 CET4970480192.168.2.5132.226.8.169
                                                    Jan 22, 2025 09:47:12.078968048 CET8049704132.226.8.169192.168.2.5
                                                    Jan 22, 2025 09:47:13.153453112 CET8049704132.226.8.169192.168.2.5
                                                    Jan 22, 2025 09:47:13.174876928 CET4970480192.168.2.5132.226.8.169
                                                    Jan 22, 2025 09:47:13.179847002 CET8049704132.226.8.169192.168.2.5
                                                    Jan 22, 2025 09:47:13.513500929 CET8049704132.226.8.169192.168.2.5
                                                    Jan 22, 2025 09:47:13.523998022 CET49705443192.168.2.5104.21.96.1
                                                    Jan 22, 2025 09:47:13.524075031 CET44349705104.21.96.1192.168.2.5
                                                    Jan 22, 2025 09:47:13.524158001 CET49705443192.168.2.5104.21.96.1
                                                    Jan 22, 2025 09:47:13.552342892 CET49705443192.168.2.5104.21.96.1
                                                    Jan 22, 2025 09:47:13.552434921 CET44349705104.21.96.1192.168.2.5
                                                    Jan 22, 2025 09:47:13.560147047 CET4970480192.168.2.5132.226.8.169
                                                    Jan 22, 2025 09:47:14.014489889 CET44349705104.21.96.1192.168.2.5
                                                    Jan 22, 2025 09:47:14.014615059 CET49705443192.168.2.5104.21.96.1
                                                    Jan 22, 2025 09:47:14.039417982 CET49705443192.168.2.5104.21.96.1
                                                    Jan 22, 2025 09:47:14.039463997 CET44349705104.21.96.1192.168.2.5
                                                    Jan 22, 2025 09:47:14.039813042 CET44349705104.21.96.1192.168.2.5
                                                    Jan 22, 2025 09:47:14.091409922 CET49705443192.168.2.5104.21.96.1
                                                    Jan 22, 2025 09:47:14.131325006 CET49705443192.168.2.5104.21.96.1
                                                    Jan 22, 2025 09:47:14.175371885 CET44349705104.21.96.1192.168.2.5
                                                    Jan 22, 2025 09:47:14.240900993 CET44349705104.21.96.1192.168.2.5
                                                    Jan 22, 2025 09:47:14.240961075 CET44349705104.21.96.1192.168.2.5
                                                    Jan 22, 2025 09:47:14.241071939 CET49705443192.168.2.5104.21.96.1
                                                    Jan 22, 2025 09:47:14.275389910 CET49705443192.168.2.5104.21.96.1
                                                    Jan 22, 2025 09:48:18.544013023 CET8049704132.226.8.169192.168.2.5
                                                    Jan 22, 2025 09:48:18.544157028 CET4970480192.168.2.5132.226.8.169
                                                    Jan 22, 2025 09:48:53.529597998 CET4970480192.168.2.5132.226.8.169
                                                    Jan 22, 2025 09:48:53.534439087 CET8049704132.226.8.169192.168.2.5

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 22, 2025 09:47:11.891114950 CET5457553192.168.2.51.1.1.1
                                                    Jan 22, 2025 09:47:11.898319960 CET53545751.1.1.1192.168.2.5
                                                    Jan 22, 2025 09:47:13.516071081 CET6131353192.168.2.51.1.1.1
                                                    Jan 22, 2025 09:47:13.523170948 CET53613131.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jan 22, 2025 09:47:11.891114950 CET192.168.2.51.1.1.10xc32Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:13.516071081 CET192.168.2.51.1.1.10x9720Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jan 22, 2025 09:47:11.898319960 CET1.1.1.1192.168.2.50xc32No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                    Jan 22, 2025 09:47:11.898319960 CET1.1.1.1192.168.2.50xc32No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:11.898319960 CET1.1.1.1192.168.2.50xc32No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:11.898319960 CET1.1.1.1192.168.2.50xc32No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:11.898319960 CET1.1.1.1192.168.2.50xc32No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:11.898319960 CET1.1.1.1192.168.2.50xc32No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:13.523170948 CET1.1.1.1192.168.2.50x9720No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:13.523170948 CET1.1.1.1192.168.2.50x9720No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:13.523170948 CET1.1.1.1192.168.2.50x9720No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:13.523170948 CET1.1.1.1192.168.2.50x9720No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:13.523170948 CET1.1.1.1192.168.2.50x9720No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:13.523170948 CET1.1.1.1192.168.2.50x9720No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                    Jan 22, 2025 09:47:13.523170948 CET1.1.1.1192.168.2.50x9720No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • reallyfreegeoip.org
                                                    • checkip.dyndns.org

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549704132.226.8.169804204C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 22, 2025 09:47:12.074120045 CET151OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Connection: Keep-Alive
                                                    Jan 22, 2025 09:47:13.153453112 CET273INHTTP/1.1 200 OK
                                                    Date: Wed, 22 Jan 2025 08:47:13 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 104
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                    Jan 22, 2025 09:47:13.174876928 CET127OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                    Host: checkip.dyndns.org
                                                    Jan 22, 2025 09:47:13.513500929 CET273INHTTP/1.1 200 OK
                                                    Date: Wed, 22 Jan 2025 08:47:13 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 104
                                                    Connection: keep-alive
                                                    Cache-Control: no-cache
                                                    Pragma: no-cache
                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549705104.21.96.14434204C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    2025-01-22 08:47:14 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                    Host: reallyfreegeoip.org
                                                    Connection: Keep-Alive
                                                    2025-01-22 08:47:14 UTC859INHTTP/1.1 200 OK
                                                    Date: Wed, 22 Jan 2025 08:47:14 GMT
                                                    Content-Type: text/xml
                                                    Content-Length: 362
                                                    Connection: close
                                                    Age: 2850423
                                                    Cache-Control: max-age=31536000
                                                    cf-cache-status: HIT
                                                    last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5bYWMFgndyUcebeELJhvBGuOqXW9QarV0AhlOIRYKy%2Bu%2BuhfUMg8RDmGJaboeCunn8EpmViZUC5iutBuKVcX7CiTuL1ppRn%2FAwcsa2XJ9Cbbsk7dno%2FGq2iRgNZqxTYcJttr%2Bwc4"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 905e47319fd31a44-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1762&rtt_var=672&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1614151&cwnd=131&unsent_bytes=0&cid=f79556857dc16579&ts=238&x=0"
                                                    2025-01-22 08:47:14 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                    Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:03:47:09
                                                    Start date:22/01/2025
                                                    Path:C:\Users\user\Desktop\BANK FORM_pdf.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\BANK FORM_pdf.exe"
                                                    Imagebase:0xaf0000
                                                    File size:1'138'688 bytes
                                                    MD5 hash:C43BB9C643319AAA0974682D7189076F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.2150535626.0000000004290000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:03:47:10
                                                    Start date:22/01/2025
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\BANK FORM_pdf.exe"
                                                    Imagebase:0x9d0000
                                                    File size:45'984 bytes
                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3379815287.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3381640583.0000000002E26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >