Edit tour

Windows Analysis Report
Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Overview

General Information

Sample name:	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe
Analysis ID:	1630678
MD5:	7fd34270073081844d4bf5111ffe18d8
SHA1:	5df627bc738a71e366370d4b42c8f1028fec564a
SHA256:	423c168cc254b333bb536c0ef06eb55ed79b1d21fdbd7779301222a08c3f51b7
Tags:	exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe (PID: 7988 cmdline: "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe" MD5: 7FD34270073081844D4BF5111FFE18D8)

RegSvcs.exe (PID: 8052 cmdline: "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7200174383:AAGiuIXRkOAbU2n4B0G-2otS20RqwZrRApI/sendMessage?chat_id=7365979371", "Token": "7200174383:AAGiuIXRkOAbU2n4B0G-2otS20RqwZrRApI", "Chat_id": "7365979371", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3820969235.0000000003102000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aad:$a1: get_encryptedPassword 0x14d99:$a2: get_encryptedUsername 0x148b9:$a3: get_timePasswordChanged 0x149b4:$a4: get_passwordField 0x14ac3:$a5: set_encryptedPassword 0x16122:$a7: get_logins 0x16085:$a10: KeyLoggerEventArgs 0x15cf0:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c472:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6a4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bad7:$a4: \Orbitum\User Data\Default\Login Data 0x1cb16:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1567b:$s1: UnHook 0x15682:$s2: SetHook 0x1568a:$s3: CallNextHook 0x15697:$s4: _hook
00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19abc:$x1: $%SMTPDV$ 0x184a0:$x2: $#TheHashHere%& 0x19a64:$x3: %FTPDV$ 0x18440:$x4: $%TelegramDv$ 0x15cf0:$x5: KeyLoggerEventArgs 0x16085:$x5: KeyLoggerEventArgs 0x19a88:$m2: Clipboard Logs ID 0x19cc6:$m2: Screenshot Logs ID 0x19dd6:$m2: keystroke Logs ID 0x1a0b0:$m3: SnakePW 0x19c9e:$m4: \SnakeKeylogger\
00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x148ad:$a1: get_encryptedPassword 0x14b99:$a2: get_encryptedUsername 0x146b9:$a3: get_timePasswordChanged 0x147b4:$a4: get_passwordField 0x148c3:$a5: set_encryptedPassword 0x15f22:$a7: get_logins 0x15e85:$a10: KeyLoggerEventArgs 0x15af0:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x198bc:$x1: $%SMTPDV$ 0x182a0:$x2: $#TheHashHere%& 0x19864:$x3: %FTPDV$ 0x18240:$x4: $%TelegramDv$ 0x15af0:$x5: KeyLoggerEventArgs 0x15e85:$x5: KeyLoggerEventArgs 0x19888:$m2: Clipboard Logs ID 0x19ac6:$m2: Screenshot Logs ID 0x19bd6:$m2: keystroke Logs ID 0x19eb0:$m3: SnakePW 0x19a9e:$m4: \SnakeKeylogger\
00000002.00000002.3820969235.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe PID: 7988	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe PID: 7988	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe PID: 7988	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x53f16:$a1: get_encryptedPassword 0x541f8:$a2: get_encryptedUsername 0x53d2c:$a3: get_timePasswordChanged 0x53e27:$a4: get_passwordField 0x53f2c:$a5: set_encryptedPassword 0x56405:$a7: get_logins 0x56368:$a10: KeyLoggerEventArgs 0x55fd3:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe PID: 7988	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x55fd3:$x5: KeyLoggerEventArgs 0x56368:$x5: KeyLoggerEventArgs 0x56c6f:$x5: KeyLoggerEventArgs 0x56fd0:$x5: KeyLoggerEventArgs 0x58593:$m2: Clipboard Logs ID 0x58699:$m2: Screenshot Logs ID 0x586ef:$m2: keystroke Logs ID 0x58824:$m3: SnakePW 0x58685:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 8052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 8052	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 8052	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x207c8:$a1: get_encryptedPassword 0x20aaa:$a2: get_encryptedUsername 0x205de:$a3: get_timePasswordChanged 0x206d9:$a4: get_passwordField 0x207de:$a5: set_encryptedPassword 0x22cb7:$a7: get_logins 0x22c1a:$a10: KeyLoggerEventArgs 0x22885:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 8052	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x22885:$x5: KeyLoggerEventArgs 0x22c1a:$x5: KeyLoggerEventArgs 0x23521:$x5: KeyLoggerEventArgs 0x23882:$x5: KeyLoggerEventArgs 0x24e45:$m2: Clipboard Logs ID 0x24f4b:$m2: Screenshot Logs ID 0x24fa1:$m2: keystroke Logs ID 0x250d6:$m3: SnakePW 0x24f37:$m4: \SnakeKeylogger\
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aad:$a1: get_encryptedPassword 0x14d99:$a2: get_encryptedUsername 0x148b9:$a3: get_timePasswordChanged 0x149b4:$a4: get_passwordField 0x14ac3:$a5: set_encryptedPassword 0x16122:$a7: get_logins 0x16085:$a10: KeyLoggerEventArgs 0x15cf0:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c472:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6a4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bad7:$a4: \Orbitum\User Data\Default\Login Data 0x1cb16:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1567b:$s1: UnHook 0x15682:$s2: SetHook 0x1568a:$s3: CallNextHook 0x15697:$s4: _hook
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19abc:$x1: $%SMTPDV$ 0x184a0:$x2: $#TheHashHere%& 0x19a64:$x3: %FTPDV$ 0x18440:$x4: $%TelegramDv$ 0x15cf0:$x5: KeyLoggerEventArgs 0x16085:$x5: KeyLoggerEventArgs 0x19a88:$m2: Clipboard Logs ID 0x19cc6:$m2: Screenshot Logs ID 0x19dd6:$m2: keystroke Logs ID 0x1a0b0:$m3: SnakePW 0x19c9e:$m4: \SnakeKeylogger\
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12cad:$a1: get_encryptedPassword 0x12f99:$a2: get_encryptedUsername 0x12ab9:$a3: get_timePasswordChanged 0x12bb4:$a4: get_passwordField 0x12cc3:$a5: set_encryptedPassword 0x14322:$a7: get_logins 0x14285:$a10: KeyLoggerEventArgs 0x13ef0:$a11: KeyLoggerEventArgsEventHandler
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a672:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x198a4:$a3: \Google\Chrome\User Data\Default\Login Data 0x19cd7:$a4: \Orbitum\User Data\Default\Login Data 0x1ad16:$a5: \Kometa\User Data\Default\Login Data
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1387b:$s1: UnHook 0x13882:$s2: SetHook 0x1388a:$s3: CallNextHook 0x13897:$s4: _hook
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17cbc:$x1: $%SMTPDV$ 0x166a0:$x2: $#TheHashHere%& 0x17c64:$x3: %FTPDV$ 0x16640:$x4: $%TelegramDv$ 0x13ef0:$x5: KeyLoggerEventArgs 0x14285:$x5: KeyLoggerEventArgs 0x17c88:$m2: Clipboard Logs ID 0x17ec6:$m2: Screenshot Logs ID 0x17fd6:$m2: keystroke Logs ID 0x182b0:$m3: SnakePW 0x17e9e:$m4: \SnakeKeylogger\
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14aad:$a1: get_encryptedPassword 0x14d99:$a2: get_encryptedUsername 0x148b9:$a3: get_timePasswordChanged 0x149b4:$a4: get_passwordField 0x14ac3:$a5: set_encryptedPassword 0x16122:$a7: get_logins 0x16085:$a10: KeyLoggerEventArgs 0x15cf0:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c472:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b6a4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bad7:$a4: \Orbitum\User Data\Default\Login Data 0x1cb16:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1567b:$s1: UnHook 0x15682:$s2: SetHook 0x1568a:$s3: CallNextHook 0x15697:$s4: _hook
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19abc:$x1: $%SMTPDV$ 0x184a0:$x2: $#TheHashHere%& 0x19a64:$x3: %FTPDV$ 0x18440:$x4: $%TelegramDv$ 0x15cf0:$x5: KeyLoggerEventArgs 0x16085:$x5: KeyLoggerEventArgs 0x19a88:$m2: Clipboard Logs ID 0x19cc6:$m2: Screenshot Logs ID 0x19dd6:$m2: keystroke Logs ID 0x1a0b0:$m3: SnakePW 0x19c9e:$m4: \SnakeKeylogger\
Click to see the 13 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T06:54:15.611468+0100	2803305	3	Unknown Traffic	192.168.2.8	49708	104.21.48.1	443	TCP
2025-03-06T06:54:18.849794+0100	2803305	3	Unknown Traffic	192.168.2.8	49710	104.21.48.1	443	TCP
2025-03-06T06:54:25.132598+0100	2803305	3	Unknown Traffic	192.168.2.8	49714	104.21.48.1	443	TCP
2025-03-06T06:54:28.252265+0100	2803305	3	Unknown Traffic	192.168.2.8	49718	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-06T06:54:10.380954+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	158.101.44.242	80	TCP
2025-03-06T06:54:13.427870+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	158.101.44.242	80	TCP
2025-03-06T06:54:16.302952+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7200174383:AAGiuIXRkOAbU2n4B0G-2otS20RqwZrRApI/sendMessage?chat_id=7365979371", "Token": "7200174383:AAGiuIXRkOAbU2n4B0G-2otS20RqwZrRApI", "Chat_id": "7365979371", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Virustotal: Detection: 33%			Perma Link
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	ReversingLabs: Detection: 36%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor:
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: 7200174383:AAGiuIXRkOAbU2n4B0G-2otS20RqwZrRApI
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: 7365979371

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49707 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.1375871226.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.1377468792.0000000003500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.1375871226.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.1377468792.0000000003500000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0019445A
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019C6D1 FindFirstFileW,FindClose,	0_2_0019C6D1
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0019C75C
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019EF95
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019F0F2
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019F3F3
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001937EF
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00193B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00193B12
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 010EF1F6h	2_2_010EF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 010EFB80h	2_2_010E21E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_010EE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_010EEB5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	2_2_010EED3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E11A38h	2_2_02E11620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E102F1h	2_2_02E10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E11471h	2_2_02E111C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1D1A1h	2_2_02E1CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1CD49h	2_2_02E1CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1FD11h	2_2_02E1FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1C8F1h	2_2_02E1C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1F8B9h	2_2_02E1F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1DA51h	2_2_02E1D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1D5F9h	2_2_02E1D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1B791h	2_2_02E1B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E10751h	2_2_02E104A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1E759h	2_2_02E1E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1E301h	2_2_02E1E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1DEA9h	2_2_02E1DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1C499h	2_2_02E1C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1F461h	2_2_02E1F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1C041h	2_2_02E1BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E11011h	2_2_02E10D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1F009h	2_2_02E1ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E11A38h	2_2_02E11966
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1BBE9h	2_2_02E1B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E10BB1h	2_2_02E10900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02E1EBB1h	2_2_02E1E908

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49709 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49710 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49708 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49714 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49718 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49707 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001A22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_001A22EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.3820969235.00000000030AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.0000000002FFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000308F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.3820969235.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.0000000002FFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000308F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000303F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.3820969235.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.3820969235.00000000030AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000308F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.0000000003014000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.3820969235.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3820969235.00000000030AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.0000000002FFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000308F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000303F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.0000000002FFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.3820969235.00000000030E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000002.00000002.3820969235.00000000030AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000309C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000308F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000303F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000030E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001A4164

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001A4164

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001A3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001A3F66

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_0019001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0019001C

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001BCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001BCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe PID: 7988, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe PID: 7988, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00133B3A
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000002.1383727422.00000000001E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b4393011-4
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000002.1383727422.00000000001E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_1b1f322f-5
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f33bdad7-4
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_bc71b740-2

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_0019A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0019A1EF

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00188310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00188310

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001951BD

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0013E6A0	0_2_0013E6A0
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0015D975	0_2_0015D975
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0013FCE0	0_2_0013FCE0
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001521C5	0_2_001521C5
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001662D2	0_2_001662D2
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001B03DA	0_2_001B03DA
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0016242E	0_2_0016242E
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001525FA	0_2_001525FA
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0018E616	0_2_0018E616
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001466E1	0_2_001466E1
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0016878F	0_2_0016878F
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00148808	0_2_00148808
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001B0857	0_2_001B0857
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00166844	0_2_00166844
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00198889	0_2_00198889
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0015CB21	0_2_0015CB21
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00166DB6	0_2_00166DB6
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00146F9E	0_2_00146F9E
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00143030	0_2_00143030
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00153187	0_2_00153187
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0015F1D9	0_2_0015F1D9
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00131287	0_2_00131287
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00151484	0_2_00151484
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00145520	0_2_00145520
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00157696	0_2_00157696
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00145760	0_2_00145760
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00151978	0_2_00151978
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00169AB5	0_2_00169AB5
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00151D90	0_2_00151D90
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0015BDA6	0_2_0015BDA6
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001B7DDB	0_2_001B7DDB
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0013DF00	0_2_0013DF00
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00143FE0	0_2_00143FE0
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B9D9F0	0_2_00B9D9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010E6108	2_2_010E6108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EC190	2_2_010EC190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EF007	2_2_010EF007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EB328	2_2_010EB328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EC473	2_2_010EC473
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010E6730	2_2_010E6730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EC751	2_2_010EC751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010E9858	2_2_010E9858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EBBD3	2_2_010EBBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010ECA31	2_2_010ECA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010E4AD9	2_2_010E4AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EBEB0	2_2_010EBEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010E21E3	2_2_010E21E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EE517	2_2_010EE517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EE528	2_2_010EE528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010E3570	2_2_010E3570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EB4F3	2_2_010EB4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E18460	2_2_02E18460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E13870	2_2_02E13870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E10040	2_2_02E10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E111C0	2_2_02E111C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E17D90	2_2_02E17D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1CEEA	2_2_02E1CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1CEF8	2_2_02E1CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1CAA0	2_2_02E1CAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1FA68	2_2_02E1FA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1C648	2_2_02E1C648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1FA59	2_2_02E1FA59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1C638	2_2_02E1C638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1F600	2_2_02E1F600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1F610	2_2_02E1F610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E173E8	2_2_02E173E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1DBF1	2_2_02E1DBF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1D7A8	2_2_02E1D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1D798	2_2_02E1D798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1D340	2_2_02E1D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1D350	2_2_02E1D350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1B4E8	2_2_02E1B4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E108F0	2_2_02E108F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1E8F8	2_2_02E1E8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1B4D7	2_2_02E1B4D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E104A0	2_2_02E104A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1E4A0	2_2_02E1E4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1E4B0	2_2_02E1E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E10490	2_2_02E10490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E13860	2_2_02E13860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1E049	2_2_02E1E049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1E058	2_2_02E1E058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1DC00	2_2_02E1DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E10007	2_2_02E10007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1C1E0	2_2_02E1C1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1C1F0	2_2_02E1C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1F1A9	2_2_02E1F1A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E111B0	2_2_02E111B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1F1B8	2_2_02E1F1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1BD88	2_2_02E1BD88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1BD98	2_2_02E1BD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E10D60	2_2_02E10D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1ED60	2_2_02E1ED60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1B940	2_2_02E1B940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E10D51	2_2_02E10D51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1ED50	2_2_02E1ED50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1B930	2_2_02E1B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E10900	2_2_02E10900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E1E908	2_2_02E1E908

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: String function: 00150AE3 appears 70 times
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: String function: 00137DE1 appears 35 times
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: String function: 00158900 appears 42 times

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.1375619298.0000000003623000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.1375226464.00000000037CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe PID: 7988, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe PID: 7988, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_0019A06A GetLastError,FormatMessageW,

0_2_0019A06A

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001881CB AdjustTokenPrivileges,CloseHandle,		0_2_001881CB
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001887E1

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_0019B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0019B333

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001AEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001AEE0D

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_0019C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0019C397

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00134E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00134E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

File created: C:\Users\user\AppData\Local\Temp\aut765A.tmp

Jump to behavior

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3821771723.0000000003FC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000317F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000318D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.000000000316F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3820969235.00000000031B4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Virustotal: Detection: 33%
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.1375871226.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.1377468792.0000000003500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.1375871226.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.1377468792.0000000003500000.00000004.00001000.00020000.00000000.sdmp

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00134B37 LoadLibraryA,GetProcAddress,

0_2_00134B37

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00158945 push ecx; ret	0_2_00158958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010EB0A5 pushfd ; iretd	2_2_010EB0AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02E12E78 push esp; iretd	2_2_02E12E79

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	File created: \purchase order # 8mja15 - 20hrs pms twin engine 150hp.exe
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	File created: \purchase order # 8mja15 - 20hrs pms twin engine 150hp.exe			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001348D7
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001B5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001B5376

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00153187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00153187

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

API/Special instruction interceptor: Address: B9D614

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596513	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594500	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2089			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7766			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102296

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

API coverage: 5.7 %

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0019445A
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019C6D1 FindFirstFileW,FindClose,	0_2_0019C6D1
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0019C75C
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019EF95
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019F0F2
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019F3F3
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001937EF
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00193B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00193B12
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0019BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019BCBC

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001349A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596513	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595393	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594500	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3820376852.0000000001126000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

API call chain: ExitProcess graph end node

graph_0-101155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_02E17D90 LdrInitializeThunk,

2_2_02E17D90

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001A3F09 BlockInput,

0_2_001A3F09

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00133B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00133B3A

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00165A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00165A7C

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00134B37 LoadLibraryA,GetProcAddress,

0_2_00134B37

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B9C220 mov eax, dword ptr fs:[00000030h]	0_2_00B9C220
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B9D880 mov eax, dword ptr fs:[00000030h]	0_2_00B9D880
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B9D8E0 mov eax, dword ptr fs:[00000030h]	0_2_00B9D8E0

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_001880A9

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0015A124 SetUnhandledExceptionFilter,		0_2_0015A124
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0015A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0015A155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D9D008

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001887B1 LogonUserW,

0_2_001887B1

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00133B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00133B3A

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_001348D7

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00194C27 mouse_event,

0_2_00194C27

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00187CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00187CAF

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_0018874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0018874B

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_0015862B cpuid

0_2_0015862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00164E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00164E87

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00171E06 GetUserNameW,

0_2_00171E06

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00163F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00163F3A

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_001349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001349A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3820969235.0000000003102000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3820969235.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe PID: 7988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_81
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_XP
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_XPe
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_VISTA
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_7
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_8
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe PID: 7988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1840000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3820969235.0000000003102000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1384703527.0000000001840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3819962621.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3820969235.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe PID: 7988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001A6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_001A6283
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_001A6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001A6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe