Edit tour

Windows Analysis Report
Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Overview

General Information

Sample name:	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe
Analysis ID:	1631472
MD5:	22b7cc1cfa88d65291dba5f4cd35f221
SHA1:	fe501709534bb94a026a73a021b7cc0bd179e639
SHA256:	96415deeb9e8eef066e51a6bdea3ef37719fb2dd5a66f566451c9546a481a0eb
Tags:	exeRedLineStealeruser-threatcat_ch
Infos:

Detection

PureLog Stealer, Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Snake Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe (PID: 3480 cmdline: "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe" MD5: 22B7CC1CFA88D65291DBA5F4CD35F221)

RegSvcs.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe" MD5: 22B7CC1CFA88D65291DBA5F4CD35F221)

RegSvcs.exe (PID: 2724 cmdline: "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7200174383:AAGiuIXRkOAbU2n4B0G-2otS20RqwZrRApI/sendMessage?chat_id=7365979371", "Token": "7200174383:AAGiuIXRkOAbU2n4B0G-2otS20RqwZrRApI", "Chat_id": "7365979371", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6617e:$a1: get_encryptedPassword 0x66152:$a2: get_encryptedUsername 0x66216:$a3: get_timePasswordChanged 0x6612e:$a4: get_passwordField 0x66194:$a5: set_encryptedPassword 0x65f61:$a7: get_logins 0x625c4:$a10: KeyLoggerEventArgs 0x62593:$a11: KeyLoggerEventArgsEventHandler 0x66035:$a13: _encryptedPassword
00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x693de:$x1: $%SMTPDV$ 0x67dc2:$x2: $#TheHashHere%& 0x69386:$x3: %FTPDV$ 0x67d62:$x4: $%TelegramDv$ 0x62593:$x5: KeyLoggerEventArgs 0x625c4:$x5: KeyLoggerEventArgs 0x693aa:$m2: Clipboard Logs ID 0x695e8:$m2: Screenshot Logs ID 0x696f8:$m2: keystroke Logs ID 0x699d2:$m3: SnakePW 0x695c0:$m4: \SnakeKeylogger\
00000000.00000002.2058120380.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 08 88 44 24 2B 88 44 24 2F B0 29 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x251e8:$a1: get_encryptedPassword 0x251bc:$a2: get_encryptedUsername 0x25280:$a3: get_timePasswordChanged 0x25198:$a4: get_passwordField 0x251fe:$a5: set_encryptedPassword 0x24fcb:$a7: get_logins 0x2162e:$a10: KeyLoggerEventArgs 0x215fd:$a11: KeyLoggerEventArgsEventHandler 0x2509f:$a13: _encryptedPassword
00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2ae02:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2a033:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a466:$a4: \Orbitum\User Data\Default\Login Data 0x2b4a7:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x23ab5:$s1: UnHook 0x23a51:$s2: SetHook 0x23a8a:$s3: CallNextHook 0x23a19:$s4: _hook
00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28448:$x1: $%SMTPDV$ 0x26e2c:$x2: $#TheHashHere%& 0x283f0:$x3: %FTPDV$ 0x26dcc:$x4: $%TelegramDv$ 0x215fd:$x5: KeyLoggerEventArgs 0x2162e:$x5: KeyLoggerEventArgs 0x28414:$m2: Clipboard Logs ID 0x28652:$m2: Screenshot Logs ID 0x28762:$m2: keystroke Logs ID 0x28a3c:$m3: SnakePW 0x2862a:$m4: \SnakeKeylogger\
00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x25758:$a1: get_encryptedPassword 0x58a90:$a1: get_encryptedPassword 0x2572c:$a2: get_encryptedUsername 0x58a64:$a2: get_encryptedUsername 0x257f0:$a3: get_timePasswordChanged 0x58b28:$a3: get_timePasswordChanged 0x25708:$a4: get_passwordField 0x58a40:$a4: get_passwordField 0x2576e:$a5: set_encryptedPassword 0x58aa6:$a5: set_encryptedPassword 0x2553b:$a7: get_logins 0x58873:$a7: get_logins 0x21b9e:$a10: KeyLoggerEventArgs 0x54ed6:$a10: KeyLoggerEventArgs 0x21b6d:$a11: KeyLoggerEventArgsEventHandler 0x54ea5:$a11: KeyLoggerEventArgsEventHandler 0x2560f:$a13: _encryptedPassword 0x58947:$a13: _encryptedPassword
00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x289b8:$x1: $%SMTPDV$ 0x5bcf0:$x1: $%SMTPDV$ 0x2739c:$x2: $#TheHashHere%& 0x5a6d4:$x2: $#TheHashHere%& 0x28960:$x3: %FTPDV$ 0x5bc98:$x3: %FTPDV$ 0x2733c:$x4: $%TelegramDv$ 0x5a674:$x4: $%TelegramDv$ 0x21b6d:$x5: KeyLoggerEventArgs 0x21b9e:$x5: KeyLoggerEventArgs 0x54ea5:$x5: KeyLoggerEventArgs 0x54ed6:$x5: KeyLoggerEventArgs 0x28984:$m2: Clipboard Logs ID 0x28bc2:$m2: Screenshot Logs ID 0x28cd2:$m2: keystroke Logs ID 0x5bcbc:$m2: Clipboard Logs ID 0x5befa:$m2: Screenshot Logs ID 0x5c00a:$m2: keystroke Logs ID 0x28fac:$m3: SnakePW 0x5c2e4:$m3: SnakePW 0x28b9a:$m4: \SnakeKeylogger\
00000004.00000002.3305263132.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 08 88 44 24 2B 88 44 24 2F B0 29 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000003.00000002.2075541650.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 08 88 44 24 2B 88 44 24 2F B0 29 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24300:$a1: get_encryptedPassword 0x242d4:$a2: get_encryptedUsername 0x24398:$a3: get_timePasswordChanged 0x242b0:$a4: get_passwordField 0x24316:$a5: set_encryptedPassword 0x240e3:$a7: get_logins 0x20746:$a10: KeyLoggerEventArgs 0x20715:$a11: KeyLoggerEventArgsEventHandler 0x241b7:$a13: _encryptedPassword
00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29f1a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2914b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2957e:$a4: \Orbitum\User Data\Default\Login Data 0x2a5bf:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22bcd:$s1: UnHook 0x22b69:$s2: SetHook 0x22ba2:$s3: CallNextHook 0x22b31:$s4: _hook
00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27560:$x1: $%SMTPDV$ 0x25f44:$x2: $#TheHashHere%& 0x27508:$x3: %FTPDV$ 0x25ee4:$x4: $%TelegramDv$ 0x20715:$x5: KeyLoggerEventArgs 0x20746:$x5: KeyLoggerEventArgs 0x2752c:$m2: Clipboard Logs ID 0x2776a:$m2: Screenshot Logs ID 0x2787a:$m2: keystroke Logs ID 0x27b54:$m3: SnakePW 0x27742:$m4: \SnakeKeylogger\
00000004.00000002.3306612590.00000000035B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 2724	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2724	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 2724	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 2724	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x858d:$a1: get_encryptedPassword 0x2d3c6:$a1: get_encryptedPassword 0x3e098:$a1: get_encryptedPassword 0x4d5a3:$a1: get_encryptedPassword 0x8561:$a2: get_encryptedUsername 0x2d39a:$a2: get_encryptedUsername 0x3e06c:$a2: get_encryptedUsername 0x4d577:$a2: get_encryptedUsername 0x8625:$a3: get_timePasswordChanged 0x2d45e:$a3: get_timePasswordChanged 0x3e130:$a3: get_timePasswordChanged 0x4d63b:$a3: get_timePasswordChanged 0x853d:$a4: get_passwordField 0x2d376:$a4: get_passwordField 0x3e048:$a4: get_passwordField 0x4d553:$a4: get_passwordField 0x85a3:$a5: set_encryptedPassword 0x2d3dc:$a5: set_encryptedPassword 0x3e0ae:$a5: set_encryptedPassword 0x4d5b9:$a5: set_encryptedPassword 0x8379:$a7: get_logins
Process Memory Space: RegSvcs.exe PID: 2724	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x48b3:$x5: KeyLoggerEventArgs 0x48e4:$x5: KeyLoggerEventArgs 0x4924:$x5: KeyLoggerEventArgs 0x4953:$x5: KeyLoggerEventArgs 0x296ec:$x5: KeyLoggerEventArgs 0x2971d:$x5: KeyLoggerEventArgs 0x2975d:$x5: KeyLoggerEventArgs 0x2978c:$x5: KeyLoggerEventArgs 0x3a3be:$x5: KeyLoggerEventArgs 0x3a3ef:$x5: KeyLoggerEventArgs 0x3a42f:$x5: KeyLoggerEventArgs 0x3a45e:$x5: KeyLoggerEventArgs 0x497a4:$x5: KeyLoggerEventArgs 0x497d5:$x5: KeyLoggerEventArgs 0x49815:$x5: KeyLoggerEventArgs 0x49844:$x5: KeyLoggerEventArgs 0xc18c:$m2: Clipboard Logs ID 0xc291:$m2: Screenshot Logs ID 0xc319:$m2: keystroke Logs ID 0x30fc5:$m2: Clipboard Logs ID 0x310ca:$m2: Screenshot Logs ID
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 08 88 44 24 2B 88 44 24 2F B0 29 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.ab0000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 08 88 44 24 2B 88 44 24 2F B0 29 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.4589790.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4589790.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.4589790.7.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.4589790.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4589790.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.4589790.7.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.4589790.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22500:$a1: get_encryptedPassword 0x224d4:$a2: get_encryptedUsername 0x22598:$a3: get_timePasswordChanged 0x224b0:$a4: get_passwordField 0x22516:$a5: set_encryptedPassword 0x222e3:$a7: get_logins 0x1e946:$a10: KeyLoggerEventArgs 0x1e915:$a11: KeyLoggerEventArgsEventHandler 0x223b7:$a13: _encryptedPassword
4.2.RegSvcs.exe.4589790.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24300:$a1: get_encryptedPassword 0x242d4:$a2: get_encryptedUsername 0x24398:$a3: get_timePasswordChanged 0x242b0:$a4: get_passwordField 0x24316:$a5: set_encryptedPassword 0x240e3:$a7: get_logins 0x20746:$a10: KeyLoggerEventArgs 0x20715:$a11: KeyLoggerEventArgsEventHandler 0x241b7:$a13: _encryptedPassword
4.2.RegSvcs.exe.4556458.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4556458.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.4556458.6.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.4589790.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2811a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2734b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2777e:$a4: \Orbitum\User Data\Default\Login Data 0x287bf:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.4589790.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29f1a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2914b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2957e:$a4: \Orbitum\User Data\Default\Login Data 0x2a5bf:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3350ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3350ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3350ee8.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.4589790.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22bcd:$s1: UnHook 0x22b69:$s2: SetHook 0x22ba2:$s3: CallNextHook 0x22b31:$s4: _hook
4.2.RegSvcs.exe.4589790.7.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27560:$x1: $%SMTPDV$ 0x25f44:$x2: $#TheHashHere%& 0x27508:$x3: %FTPDV$ 0x25ee4:$x4: $%TelegramDv$ 0x20715:$x5: KeyLoggerEventArgs 0x20746:$x5: KeyLoggerEventArgs 0x2752c:$m2: Clipboard Logs ID 0x2776a:$m2: Screenshot Logs ID 0x2787a:$m2: keystroke Logs ID 0x27b54:$m3: SnakePW 0x27742:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.4556458.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22500:$a1: get_encryptedPassword 0x224d4:$a2: get_encryptedUsername 0x22598:$a3: get_timePasswordChanged 0x224b0:$a4: get_passwordField 0x22516:$a5: set_encryptedPassword 0x222e3:$a7: get_logins 0x1e946:$a10: KeyLoggerEventArgs 0x1e915:$a11: KeyLoggerEventArgsEventHandler 0x223b7:$a13: _encryptedPassword
4.2.RegSvcs.exe.3350ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3350ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3350ee8.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.31d4f96.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.31d4f96.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.31d4f96.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.31d4f96.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x251e8:$a1: get_encryptedPassword 0x251bc:$a2: get_encryptedUsername 0x25280:$a3: get_timePasswordChanged 0x25198:$a4: get_passwordField 0x251fe:$a5: set_encryptedPassword 0x24fcb:$a7: get_logins 0x2162e:$a10: KeyLoggerEventArgs 0x215fd:$a11: KeyLoggerEventArgsEventHandler 0x2509f:$a13: _encryptedPassword
4.2.RegSvcs.exe.31d4f96.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2ae02:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2a033:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a466:$a4: \Orbitum\User Data\Default\Login Data 0x2b4a7:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.31d4f96.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x23ab5:$s1: UnHook 0x23a51:$s2: SetHook 0x23a8a:$s3: CallNextHook 0x23a19:$s4: _hook
4.2.RegSvcs.exe.31d4f96.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28448:$x1: $%SMTPDV$ 0x26e2c:$x2: $#TheHashHere%& 0x283f0:$x3: %FTPDV$ 0x26dcc:$x4: $%TelegramDv$ 0x215fd:$x5: KeyLoggerEventArgs 0x2162e:$x5: KeyLoggerEventArgs 0x28414:$m2: Clipboard Logs ID 0x28652:$m2: Screenshot Logs ID 0x28762:$m2: keystroke Logs ID 0x28a3c:$m3: SnakePW 0x2862a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.33d0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4555570.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3350ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24300:$a1: get_encryptedPassword 0x242d4:$a2: get_encryptedUsername 0x24398:$a3: get_timePasswordChanged 0x242b0:$a4: get_passwordField 0x24316:$a5: set_encryptedPassword 0x240e3:$a7: get_logins 0x20746:$a10: KeyLoggerEventArgs 0x20715:$a11: KeyLoggerEventArgsEventHandler 0x241b7:$a13: _encryptedPassword
4.2.RegSvcs.exe.33d0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.33d0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.33d0000.5.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.33d0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22500:$a1: get_encryptedPassword 0x224d4:$a2: get_encryptedUsername 0x22598:$a3: get_timePasswordChanged 0x224b0:$a4: get_passwordField 0x22516:$a5: set_encryptedPassword 0x222e3:$a7: get_logins 0x1e946:$a10: KeyLoggerEventArgs 0x1e915:$a11: KeyLoggerEventArgsEventHandler 0x223b7:$a13: _encryptedPassword
4.2.RegSvcs.exe.33d0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2811a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2734b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2777e:$a4: \Orbitum\User Data\Default\Login Data 0x287bf:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.33d0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.33d0000.5.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.33d0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24300:$a1: get_encryptedPassword 0x242d4:$a2: get_encryptedUsername 0x24398:$a3: get_timePasswordChanged 0x242b0:$a4: get_passwordField 0x24316:$a5: set_encryptedPassword 0x240e3:$a7: get_logins 0x20746:$a10: KeyLoggerEventArgs 0x20715:$a11: KeyLoggerEventArgsEventHandler 0x241b7:$a13: _encryptedPassword
4.2.RegSvcs.exe.31d5e7e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3350ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22500:$a1: get_encryptedPassword 0x224d4:$a2: get_encryptedUsername 0x22598:$a3: get_timePasswordChanged 0x224b0:$a4: get_passwordField 0x22516:$a5: set_encryptedPassword 0x222e3:$a7: get_logins 0x1e946:$a10: KeyLoggerEventArgs 0x1e915:$a11: KeyLoggerEventArgsEventHandler 0x223b7:$a13: _encryptedPassword
4.2.RegSvcs.exe.4556458.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2811a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2734b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2777e:$a4: \Orbitum\User Data\Default\Login Data 0x287bf:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.4589790.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20dcd:$s1: UnHook 0x20d69:$s2: SetHook 0x20da2:$s3: CallNextHook 0x20d31:$s4: _hook
4.2.RegSvcs.exe.4556458.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20dcd:$s1: UnHook 0x20d69:$s2: SetHook 0x20da2:$s3: CallNextHook 0x20d31:$s4: _hook
4.2.RegSvcs.exe.4556458.6.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25760:$x1: $%SMTPDV$ 0x24144:$x2: $#TheHashHere%& 0x25708:$x3: %FTPDV$ 0x240e4:$x4: $%TelegramDv$ 0x1e915:$x5: KeyLoggerEventArgs 0x1e946:$x5: KeyLoggerEventArgs 0x2572c:$m2: Clipboard Logs ID 0x2596a:$m2: Screenshot Logs ID 0x25a7a:$m2: keystroke Logs ID 0x25d54:$m3: SnakePW 0x25942:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.3350ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29f1a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2914b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2957e:$a4: \Orbitum\User Data\Default\Login Data 0x2a5bf:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.33d0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29f1a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2914b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2957e:$a4: \Orbitum\User Data\Default\Login Data 0x2a5bf:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.31d5e7e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.31d5e7e.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.4589790.7.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25760:$x1: $%SMTPDV$ 0x24144:$x2: $#TheHashHere%& 0x25708:$x3: %FTPDV$ 0x240e4:$x4: $%TelegramDv$ 0x1e915:$x5: KeyLoggerEventArgs 0x1e946:$x5: KeyLoggerEventArgs 0x2572c:$m2: Clipboard Logs ID 0x2596a:$m2: Screenshot Logs ID 0x25a7a:$m2: keystroke Logs ID 0x25d54:$m3: SnakePW 0x25942:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.33d0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20dcd:$s1: UnHook 0x20d69:$s2: SetHook 0x20da2:$s3: CallNextHook 0x20d31:$s4: _hook
4.2.RegSvcs.exe.33d0000.5.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25760:$x1: $%SMTPDV$ 0x24144:$x2: $#TheHashHere%& 0x25708:$x3: %FTPDV$ 0x240e4:$x4: $%TelegramDv$ 0x1e915:$x5: KeyLoggerEventArgs 0x1e946:$x5: KeyLoggerEventArgs 0x2572c:$m2: Clipboard Logs ID 0x2596a:$m2: Screenshot Logs ID 0x25a7a:$m2: keystroke Logs ID 0x25d54:$m3: SnakePW 0x25942:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.4555570.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3350ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22bcd:$s1: UnHook 0x22b69:$s2: SetHook 0x22ba2:$s3: CallNextHook 0x22b31:$s4: _hook
4.2.RegSvcs.exe.33d0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22bcd:$s1: UnHook 0x22b69:$s2: SetHook 0x22ba2:$s3: CallNextHook 0x22b31:$s4: _hook
4.2.RegSvcs.exe.4555570.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.31d5e7e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24300:$a1: get_encryptedPassword 0x242d4:$a2: get_encryptedUsername 0x24398:$a3: get_timePasswordChanged 0x242b0:$a4: get_passwordField 0x24316:$a5: set_encryptedPassword 0x240e3:$a7: get_logins 0x20746:$a10: KeyLoggerEventArgs 0x20715:$a11: KeyLoggerEventArgsEventHandler 0x241b7:$a13: _encryptedPassword
4.2.RegSvcs.exe.3350ee8.4.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27560:$x1: $%SMTPDV$ 0x25f44:$x2: $#TheHashHere%& 0x27508:$x3: %FTPDV$ 0x25ee4:$x4: $%TelegramDv$ 0x20715:$x5: KeyLoggerEventArgs 0x20746:$x5: KeyLoggerEventArgs 0x2752c:$m2: Clipboard Logs ID 0x2776a:$m2: Screenshot Logs ID 0x2787a:$m2: keystroke Logs ID 0x27b54:$m3: SnakePW 0x27742:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.33d0000.5.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27560:$x1: $%SMTPDV$ 0x25f44:$x2: $#TheHashHere%& 0x27508:$x3: %FTPDV$ 0x25ee4:$x4: $%TelegramDv$ 0x20715:$x5: KeyLoggerEventArgs 0x20746:$x5: KeyLoggerEventArgs 0x2752c:$m2: Clipboard Logs ID 0x2776a:$m2: Screenshot Logs ID 0x2787a:$m2: keystroke Logs ID 0x27b54:$m3: SnakePW 0x27742:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.3350ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2811a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2734b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2777e:$a4: \Orbitum\User Data\Default\Login Data 0x287bf:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.4555570.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x233e8:$a1: get_encryptedPassword 0x233bc:$a2: get_encryptedUsername 0x23480:$a3: get_timePasswordChanged 0x23398:$a4: get_passwordField 0x233fe:$a5: set_encryptedPassword 0x231cb:$a7: get_logins 0x1f82e:$a10: KeyLoggerEventArgs 0x1f7fd:$a11: KeyLoggerEventArgsEventHandler 0x2329f:$a13: _encryptedPassword
4.2.RegSvcs.exe.3350ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20dcd:$s1: UnHook 0x20d69:$s2: SetHook 0x20da2:$s3: CallNextHook 0x20d31:$s4: _hook
4.2.RegSvcs.exe.3350ee8.4.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25760:$x1: $%SMTPDV$ 0x24144:$x2: $#TheHashHere%& 0x25708:$x3: %FTPDV$ 0x240e4:$x4: $%TelegramDv$ 0x1e915:$x5: KeyLoggerEventArgs 0x1e946:$x5: KeyLoggerEventArgs 0x2572c:$m2: Clipboard Logs ID 0x2596a:$m2: Screenshot Logs ID 0x25a7a:$m2: keystroke Logs ID 0x25d54:$m3: SnakePW 0x25942:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.4555570.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29002:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x28233:$a3: \Google\Chrome\User Data\Default\Login Data 0x28666:$a4: \Orbitum\User Data\Default\Login Data 0x296a7:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.4555570.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x21cb5:$s1: UnHook 0x21c51:$s2: SetHook 0x21c8a:$s3: CallNextHook 0x21c19:$s4: _hook
4.2.RegSvcs.exe.4555570.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26648:$x1: $%SMTPDV$ 0x2502c:$x2: $#TheHashHere%& 0x265f0:$x3: %FTPDV$ 0x24fcc:$x4: $%TelegramDv$ 0x1f7fd:$x5: KeyLoggerEventArgs 0x1f82e:$x5: KeyLoggerEventArgs 0x26614:$m2: Clipboard Logs ID 0x26852:$m2: Screenshot Logs ID 0x26962:$m2: keystroke Logs ID 0x26c3c:$m3: SnakePW 0x2682a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.31d5e7e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29f1a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2914b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2957e:$a4: \Orbitum\User Data\Default\Login Data 0x2a5bf:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.31d5e7e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22bcd:$s1: UnHook 0x22b69:$s2: SetHook 0x22ba2:$s3: CallNextHook 0x22b31:$s4: _hook
4.2.RegSvcs.exe.31d5e7e.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27560:$x1: $%SMTPDV$ 0x25f44:$x2: $#TheHashHere%& 0x27508:$x3: %FTPDV$ 0x25ee4:$x4: $%TelegramDv$ 0x20715:$x5: KeyLoggerEventArgs 0x20746:$x5: KeyLoggerEventArgs 0x2752c:$m2: Clipboard Logs ID 0x2776a:$m2: Screenshot Logs ID 0x2787a:$m2: keystroke Logs ID 0x27b54:$m3: SnakePW 0x27742:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.4555570.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4555570.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.4555570.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.4555570.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x251e8:$a1: get_encryptedPassword 0x58520:$a1: get_encryptedPassword 0x251bc:$a2: get_encryptedUsername 0x584f4:$a2: get_encryptedUsername 0x25280:$a3: get_timePasswordChanged 0x585b8:$a3: get_timePasswordChanged 0x25198:$a4: get_passwordField 0x584d0:$a4: get_passwordField 0x251fe:$a5: set_encryptedPassword 0x58536:$a5: set_encryptedPassword 0x24fcb:$a7: get_logins 0x58303:$a7: get_logins 0x2162e:$a10: KeyLoggerEventArgs 0x54966:$a10: KeyLoggerEventArgs 0x215fd:$a11: KeyLoggerEventArgsEventHandler 0x54935:$a11: KeyLoggerEventArgsEventHandler 0x2509f:$a13: _encryptedPassword 0x583d7:$a13: _encryptedPassword
4.2.RegSvcs.exe.4555570.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2ae02:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5e13a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2a033:$a3: \Google\Chrome\User Data\Default\Login Data 0x5d36b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a466:$a4: \Orbitum\User Data\Default\Login Data 0x5d79e:$a4: \Orbitum\User Data\Default\Login Data 0x2b4a7:$a5: \Kometa\User Data\Default\Login Data 0x5e7df:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.4555570.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x23ab5:$s1: UnHook 0x56ded:$s1: UnHook 0x23a51:$s2: SetHook 0x56d89:$s2: SetHook 0x23a8a:$s3: CallNextHook 0x56dc2:$s3: CallNextHook 0x23a19:$s4: _hook 0x56d51:$s4: _hook
4.2.RegSvcs.exe.4555570.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28448:$x1: $%SMTPDV$ 0x5b780:$x1: $%SMTPDV$ 0x26e2c:$x2: $#TheHashHere%& 0x5a164:$x2: $#TheHashHere%& 0x283f0:$x3: %FTPDV$ 0x5b728:$x3: %FTPDV$ 0x26dcc:$x4: $%TelegramDv$ 0x5a104:$x4: $%TelegramDv$ 0x215fd:$x5: KeyLoggerEventArgs 0x2162e:$x5: KeyLoggerEventArgs 0x54935:$x5: KeyLoggerEventArgs 0x54966:$x5: KeyLoggerEventArgs 0x28414:$m2: Clipboard Logs ID 0x28652:$m2: Screenshot Logs ID 0x28762:$m2: keystroke Logs ID 0x5b74c:$m2: Clipboard Logs ID 0x5b98a:$m2: Screenshot Logs ID 0x5ba9a:$m2: keystroke Logs ID 0x28a3c:$m3: SnakePW 0x5bd74:$m3: SnakePW 0x2862a:$m4: \SnakeKeylogger\
0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1fd0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 08 88 44 24 2B 88 44 24 2F B0 29 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 08 88 44 24 2B 88 44 24 2F B0 29 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.31d5e7e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.31d5e7e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.31d5e7e.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.31d5e7e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22500:$a1: get_encryptedPassword 0x224d4:$a2: get_encryptedUsername 0x22598:$a3: get_timePasswordChanged 0x224b0:$a4: get_passwordField 0x22516:$a5: set_encryptedPassword 0x222e3:$a7: get_logins 0x1e946:$a10: KeyLoggerEventArgs 0x1e915:$a11: KeyLoggerEventArgsEventHandler 0x223b7:$a13: _encryptedPassword
4.2.RegSvcs.exe.31d5e7e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2811a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2734b:$a3: \Google\Chrome\User Data\Default\Login Data 0x2777e:$a4: \Orbitum\User Data\Default\Login Data 0x287bf:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.31d5e7e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x20dcd:$s1: UnHook 0x20d69:$s2: SetHook 0x20da2:$s3: CallNextHook 0x20d31:$s4: _hook
4.2.RegSvcs.exe.31d5e7e.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x25760:$x1: $%SMTPDV$ 0x24144:$x2: $#TheHashHere%& 0x25708:$x3: %FTPDV$ 0x240e4:$x4: $%TelegramDv$ 0x1e915:$x5: KeyLoggerEventArgs 0x1e946:$x5: KeyLoggerEventArgs 0x2572c:$m2: Clipboard Logs ID 0x2596a:$m2: Screenshot Logs ID 0x25a7a:$m2: keystroke Logs ID 0x25d54:$m3: SnakePW 0x25942:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.31d4f96.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.31d4f96.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.31d4f96.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.31d4f96.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x233e8:$a1: get_encryptedPassword 0x233bc:$a2: get_encryptedUsername 0x23480:$a3: get_timePasswordChanged 0x23398:$a4: get_passwordField 0x233fe:$a5: set_encryptedPassword 0x231cb:$a7: get_logins 0x1f82e:$a10: KeyLoggerEventArgs 0x1f7fd:$a11: KeyLoggerEventArgsEventHandler 0x2329f:$a13: _encryptedPassword
4.2.RegSvcs.exe.31d4f96.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29002:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x28233:$a3: \Google\Chrome\User Data\Default\Login Data 0x28666:$a4: \Orbitum\User Data\Default\Login Data 0x296a7:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.31d4f96.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x21cb5:$s1: UnHook 0x21c51:$s2: SetHook 0x21c8a:$s3: CallNextHook 0x21c19:$s4: _hook
4.2.RegSvcs.exe.31d4f96.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26648:$x1: $%SMTPDV$ 0x2502c:$x2: $#TheHashHere%& 0x265f0:$x3: %FTPDV$ 0x24fcc:$x4: $%TelegramDv$ 0x1f7fd:$x5: KeyLoggerEventArgs 0x1f82e:$x5: KeyLoggerEventArgs 0x26614:$m2: Clipboard Logs ID 0x26852:$m2: Screenshot Logs ID 0x26962:$m2: keystroke Logs ID 0x26c3c:$m3: SnakePW 0x2682a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.3350000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3350000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3350000.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.3350000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x251e8:$a1: get_encryptedPassword 0x251bc:$a2: get_encryptedUsername 0x25280:$a3: get_timePasswordChanged 0x25198:$a4: get_passwordField 0x251fe:$a5: set_encryptedPassword 0x24fcb:$a7: get_logins 0x2162e:$a10: KeyLoggerEventArgs 0x215fd:$a11: KeyLoggerEventArgsEventHandler 0x2509f:$a13: _encryptedPassword
4.2.RegSvcs.exe.3350000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2ae02:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2a033:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a466:$a4: \Orbitum\User Data\Default\Login Data 0x2b4a7:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3350000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x23ab5:$s1: UnHook 0x23a51:$s2: SetHook 0x23a8a:$s3: CallNextHook 0x23a19:$s4: _hook
4.2.RegSvcs.exe.3350000.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x28448:$x1: $%SMTPDV$ 0x26e2c:$x2: $#TheHashHere%& 0x283f0:$x3: %FTPDV$ 0x26dcc:$x4: $%TelegramDv$ 0x215fd:$x5: KeyLoggerEventArgs 0x2162e:$x5: KeyLoggerEventArgs 0x28414:$m2: Clipboard Logs ID 0x28652:$m2: Screenshot Logs ID 0x28762:$m2: keystroke Logs ID 0x28a3c:$m3: SnakePW 0x2862a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.3350000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.3350000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3350000.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.3350000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x233e8:$a1: get_encryptedPassword 0x233bc:$a2: get_encryptedUsername 0x23480:$a3: get_timePasswordChanged 0x23398:$a4: get_passwordField 0x233fe:$a5: set_encryptedPassword 0x231cb:$a7: get_logins 0x1f82e:$a10: KeyLoggerEventArgs 0x1f7fd:$a11: KeyLoggerEventArgsEventHandler 0x2329f:$a13: _encryptedPassword
4.2.RegSvcs.exe.3350000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29002:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x28233:$a3: \Google\Chrome\User Data\Default\Login Data 0x28666:$a4: \Orbitum\User Data\Default\Login Data 0x296a7:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.3350000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x21cb5:$s1: UnHook 0x21c51:$s2: SetHook 0x21c8a:$s3: CallNextHook 0x21c19:$s4: _hook
4.2.RegSvcs.exe.3350000.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x26648:$x1: $%SMTPDV$ 0x2502c:$x2: $#TheHashHere%& 0x265f0:$x3: %FTPDV$ 0x24fcc:$x4: $%TelegramDv$ 0x1f7fd:$x5: KeyLoggerEventArgs 0x1f82e:$x5: KeyLoggerEventArgs 0x26614:$m2: Clipboard Logs ID 0x26852:$m2: Screenshot Logs ID 0x26962:$m2: keystroke Logs ID 0x26c3c:$m3: SnakePW 0x2682a:$m4: \SnakeKeylogger\
4.2.RegSvcs.exe.4556458.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.4556458.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.4556458.6.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
4.2.RegSvcs.exe.4556458.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24300:$a1: get_encryptedPassword 0x57638:$a1: get_encryptedPassword 0x242d4:$a2: get_encryptedUsername 0x5760c:$a2: get_encryptedUsername 0x24398:$a3: get_timePasswordChanged 0x576d0:$a3: get_timePasswordChanged 0x242b0:$a4: get_passwordField 0x575e8:$a4: get_passwordField 0x24316:$a5: set_encryptedPassword 0x5764e:$a5: set_encryptedPassword 0x240e3:$a7: get_logins 0x5741b:$a7: get_logins 0x20746:$a10: KeyLoggerEventArgs 0x53a7e:$a10: KeyLoggerEventArgs 0x20715:$a11: KeyLoggerEventArgsEventHandler 0x53a4d:$a11: KeyLoggerEventArgsEventHandler 0x241b7:$a13: _encryptedPassword 0x574ef:$a13: _encryptedPassword
4.2.RegSvcs.exe.4556458.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x29f1a:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5d252:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2914b:$a3: \Google\Chrome\User Data\Default\Login Data 0x5c483:$a3: \Google\Chrome\User Data\Default\Login Data 0x2957e:$a4: \Orbitum\User Data\Default\Login Data 0x5c8b6:$a4: \Orbitum\User Data\Default\Login Data 0x2a5bf:$a5: \Kometa\User Data\Default\Login Data 0x5d8f7:$a5: \Kometa\User Data\Default\Login Data
4.2.RegSvcs.exe.4556458.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x22bcd:$s1: UnHook 0x55f05:$s1: UnHook 0x22b69:$s2: SetHook 0x55ea1:$s2: SetHook 0x22ba2:$s3: CallNextHook 0x55eda:$s3: CallNextHook 0x22b31:$s4: _hook 0x55e69:$s4: _hook
4.2.RegSvcs.exe.4556458.6.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x27560:$x1: $%SMTPDV$ 0x5a898:$x1: $%SMTPDV$ 0x25f44:$x2: $#TheHashHere%& 0x5927c:$x2: $#TheHashHere%& 0x27508:$x3: %FTPDV$ 0x5a840:$x3: %FTPDV$ 0x25ee4:$x4: $%TelegramDv$ 0x5921c:$x4: $%TelegramDv$ 0x20715:$x5: KeyLoggerEventArgs 0x20746:$x5: KeyLoggerEventArgs 0x53a4d:$x5: KeyLoggerEventArgs 0x53a7e:$x5: KeyLoggerEventArgs 0x2752c:$m2: Clipboard Logs ID 0x2776a:$m2: Screenshot Logs ID 0x2787a:$m2: keystroke Logs ID 0x5a864:$m2: Clipboard Logs ID 0x5aaa2:$m2: Screenshot Logs ID 0x5abb2:$m2: keystroke Logs ID 0x27b54:$m3: SnakePW 0x5ae8c:$m3: SnakePW 0x27742:$m4: \SnakeKeylogger\
Click to see the 111 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T07:25:24.805221+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7200174383:AAGiuIXRkOAbU2n4B0G-2otS20RqwZrRApI/sendMessage?chat_id=7365979371", "Token": "7200174383:AAGiuIXRkOAbU2n4B0G-2otS20RqwZrRApI", "Chat_id": "7365979371", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Virustotal: Detection: 54%			Perma Link
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	ReversingLabs: Detection: 55%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack	String decryptor:
Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack	String decryptor: 7200174383:AAGiuIXRkOAbU2n4B0G-2otS20RqwZrRApI
Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack	String decryptor: 7365979371

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2054899838.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2055678386.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2070860319.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2072370432.0000000003740000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2054899838.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2055678386.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2070860319.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2072370432.0000000003740000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BC445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BC445A
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCC6D1 FindFirstFileW,FindClose,	0_2_00BCC6D1
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00BCC75C
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BCEF95
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BCF0F2
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BCF3F3
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BC37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BC37EF
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BC3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BC3B12
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BCBCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h

4_2_02FBE258

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BD22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00BD22EE

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000004.00000002.3306612590.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306612590.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000004.00000002.3306612590.0000000003673000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306612590.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306612590.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000004.00000002.3305850425.00000000015EB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306612590.00000000035B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000004.00000002.3306612590.00000000036A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000004.00000002.3306612590.00000000035B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000004.00000002.3306612590.00000000036B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306612590.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306612590.0000000003683000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000004.00000002.3306612590.0000000003683000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000004.00000002.3306612590.00000000036B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BD4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00BD4164

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BD4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00BD4164

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BD3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00BD3F66

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BC001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00BC001C

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00BECABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1fd0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2058120380.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000004.00000002.3305263132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.2075541650.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00B63B3A
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000000.2042589172.0000000000C14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d7450aac-8
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000000.2042589172.0000000000C14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f9651a5a-a
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000002.2075719366.0000000000C14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b6e40b36-8
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000002.2075719366.0000000000C14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_4dc50547-8
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_14f6bb0a-3
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3c2bf7a3-f

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BCA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00BCA1EF

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BB8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00BB8310

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BC51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00BC51BD

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B6E6A0	0_2_00B6E6A0
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B8D975	0_2_00B8D975
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B6FCE0	0_2_00B6FCE0
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B821C5	0_2_00B821C5
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B962D2	0_2_00B962D2
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BE03DA	0_2_00BE03DA
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B9242E	0_2_00B9242E
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B825FA	0_2_00B825FA
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B766E1	0_2_00B766E1
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BBE616	0_2_00BBE616
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B9878F	0_2_00B9878F
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BC8889	0_2_00BC8889
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B78808	0_2_00B78808
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BE0857	0_2_00BE0857
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B96844	0_2_00B96844
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B8CB21	0_2_00B8CB21
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B96DB6	0_2_00B96DB6
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B76F9E	0_2_00B76F9E
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B73030	0_2_00B73030
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B83187	0_2_00B83187
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B8F1D9	0_2_00B8F1D9
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B61287	0_2_00B61287
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B81484	0_2_00B81484
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B75520	0_2_00B75520
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B87696	0_2_00B87696
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B75760	0_2_00B75760
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B81978	0_2_00B81978
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B99AB5	0_2_00B99AB5
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B8BDA6	0_2_00B8BDA6
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B81D90	0_2_00B81D90
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BE7DDB	0_2_00BE7DDB
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B73FE0	0_2_00B73FE0
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B6DF00	0_2_00B6DF00
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_01741598	0_2_01741598
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 3_2_00DBA3A0	3_2_00DBA3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040DC11	4_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00407C3F	4_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418CCC	4_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00406CA0	4_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004028B0	4_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041A4BE	4_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418244	4_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00401650	4_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F20	4_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004193C4	4_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418788	4_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F89	4_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402B90	4_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004073A0	4_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02FB12C0	4_2_02FB12C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02FB12B0	4_2_02FB12B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02FB1560	4_2_02FB1560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02FB1550	4_2_02FB1550

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: String function: 00B67DE1 appears 35 times
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: String function: 00B80AE3 appears 70 times
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: String function: 00B88900 appears 42 times

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2055541458.0000000004113000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2055138398.00000000042BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000002.2058120380.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2072761527.00000000036C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2072944831.000000000386D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000002.2075541650.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.ab0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe.1fd0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2058120380.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000004.00000002.3305263132.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.2075541650.0000000000AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@2/2

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BCA06A GetLastError,FormatMessageW,

0_2_00BCA06A

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BB81CB AdjustTokenPrivileges,CloseHandle,		0_2_00BB81CB
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BB87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00BB87E1

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BCB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00BCB3FB

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BDEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00BDEE0D

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BD83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00BD83BB

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B64E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B64E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

File created: C:\Users\user\AppData\Local\Temp\aut8BB2.tmp

Jump to behavior

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Virustotal: Detection: 54%
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process created: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process created: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Static file information: File size 1121280 > 1048576

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2054899838.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2055678386.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2070860319.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2072370432.0000000003740000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2054899838.0000000003FF0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2055678386.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2070860319.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2072370432.0000000003740000.00000004.00001000.00020000.00000000.sdmp

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B64B37 LoadLibraryA,GetProcAddress,

0_2_00B64B37

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B88945 push ecx; ret	0_2_00B88958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C40C push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00423149 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C50E push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004231C8 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E21D push ecx; ret	4_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C6BE push ebx; ret	4_2_0041C6BF

Source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'mgioI1SGEsEQl', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'mgioI1SGEsEQl', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'mgioI1SGEsEQl', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'mgioI1SGEsEQl', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'mgioI1SGEsEQl', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	File created: \purchase order # 8mja15 - 20hrs pms twin engine 150hp.exe
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	File created: \purchase order # 8mja15 - 20hrs pms twin engine 150hp.exe
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	File created: \purchase order # 8mja15 - 20hrs pms twin engine 150hp.exe
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	File created: \purchase order # 8mja15 - 20hrs pms twin engine 150hp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	File created: \purchase order # 8mja15 - 20hrs pms twin engine 150hp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	File created: \purchase order # 8mja15 - 20hrs pms twin engine 150hp.exe	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B648D7
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BE5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00BE5376

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B83187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B83187

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	API/Special instruction interceptor: Address: 17411BC
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	API/Special instruction interceptor: Address: DB9FC4

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000002.2076111456.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2058087803.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2057967862.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2061980938.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2059968932.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2065267172.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000003.00000003.2063234060.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE\
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2047775384.00000000017A3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000002.2057772038.00000000017A3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2044238504.00000000017A3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2049253083.00000000017A3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2043758975.00000000017A3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2048826648.00000000017A3000.00000004.00000020.00020000.00000000.sdmp, Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe, 00000000.00000003.2043659835.0000000001774000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEG

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

4_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596181	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594531	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7526			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2328			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-106095

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

API coverage: 4.5 %

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BC445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00BC445A
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCC6D1 FindFirstFileW,FindClose,	0_2_00BCC6D1
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00BCC75C
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BCEF95
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00BCF0F2
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BCF3F3
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BC37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BC37EF
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BC3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00BC3B12
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BCBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00BCBCBC

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B649A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596181	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594531	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.3305850425.00000000015BD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

API call chain: ExitProcess graph end node

graph_0-104580

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BD3F09 BlockInput,

0_2_00BD3F09

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B63B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B63B3A

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B95A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00B95A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B64B37 LoadLibraryA,GetProcAddress,

0_2_00B64B37

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_01741428 mov eax, dword ptr fs:[00000030h]	0_2_01741428
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_01741488 mov eax, dword ptr fs:[00000030h]	0_2_01741488
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_0173FE38 mov eax, dword ptr fs:[00000030h]	0_2_0173FE38
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 3_2_00DB8C40 mov eax, dword ptr fs:[00000030h]	3_2_00DB8C40
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 3_2_00DBA290 mov eax, dword ptr fs:[00000030h]	3_2_00DBA290
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 3_2_00DBA230 mov eax, dword ptr fs:[00000030h]	3_2_00DBA230

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BB80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00BB80A9

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B8A124 SetUnhandledExceptionFilter,	0_2_00B8A124
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00B8A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B8A155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004123F1 SetUnhandledExceptionFilter,	4_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1150008

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BB87B1 LogonUserW,

0_2_00BB87B1

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B63B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B63B3A

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00B648D7

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BC4C27 mouse_event,

0_2_00BC4C27

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BB7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00BB7CAF

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BB874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00BB874B

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B8862B cpuid

0_2_00B8862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

4_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B94E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B94E87

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00BA1E06 GetUserNameW,

0_2_00BA1E06

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B93F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B93F3A

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Code function: 0_2_00B649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B649A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306612590.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR

Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_81
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_XP
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_XPe
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_VISTA
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_7
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: WIN_8
Source: Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 4.2.RegSvcs.exe.4589790.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4589790.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4556458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d4f96.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.33d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.33d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d5e7e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4555570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4555570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d5e7e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.31d4f96.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3350000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.4556458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3306333552.0000000003194000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306428942.0000000003350000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3307382649.0000000004555000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306501144.00000000033D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3306612590.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR

Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BD6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00BD6283
Source: C:\Users\user\Desktop\Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Code function: 0_2_00BD6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00BD6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	2 Software Packing	NTDS	136 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe