Edit tour

Windows Analysis Report
C6FGS0I3yn.exe

Overview

General Information

Sample name:	C6FGS0I3yn.exe renamed because original name is a hash value
Original sample name:	ac3e59d452c9afd22e61846b9f5d1b475c0fb1e9ee0a890dea660a61280bce57.exe
Analysis ID:	1631780
MD5:	a1279890aeb8abe7f5f043b844c37610
SHA1:	f499167373d11cfd9f006e32ba493dea460876cf
SHA256:	ac3e59d452c9afd22e61846b9f5d1b475c0fb1e9ee0a890dea660a61280bce57
Tags:	exeuser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

C6FGS0I3yn.exe (PID: 5288 cmdline: "C:\Users\user\Desktop\C6FGS0I3yn.exe" MD5: A1279890AEB8ABE7F5F043B844C37610)

powershell.exe (PID: 3556 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6660 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

RegSvcs.exe (PID: 2724 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 5620 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 3652 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

svchost.exe (PID: 3656 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY/sendMessage?chat_id=5600682828", "Token": "7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY", "Chat_id": "5600682828", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35aa8:$a1: get_encryptedPassword 0x35d8c:$a2: get_encryptedUsername 0x358b4:$a3: get_timePasswordChanged 0x359af:$a4: get_passwordField 0x35abe:$a5: set_encryptedPassword 0x37115:$a7: get_logins 0x37078:$a10: KeyLoggerEventArgs 0x36ce3:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3aaa4:$x1: $%SMTPDV$ 0x39488:$x2: $#TheHashHere%& 0x3aa4c:$x3: %FTPDV$ 0x39428:$x4: $%TelegramDv$ 0x36ce3:$x5: KeyLoggerEventArgs 0x37078:$x5: KeyLoggerEventArgs 0x3aa70:$m2: Clipboard Logs ID 0x3acae:$m2: Screenshot Logs ID 0x3adbe:$m2: keystroke Logs ID 0x3b098:$m3: SnakePW 0x3ac86:$m4: \SnakeKeylogger\
00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x143a0:$a1: get_encryptedPassword 0x14684:$a2: get_encryptedUsername 0x141ac:$a3: get_timePasswordChanged 0x142a7:$a4: get_passwordField 0x143b6:$a5: set_encryptedPassword 0x15a0d:$a7: get_logins 0x15970:$a10: KeyLoggerEventArgs 0x155db:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1939c:$x1: $%SMTPDV$ 0x17d80:$x2: $#TheHashHere%& 0x19344:$x3: %FTPDV$ 0x17d20:$x4: $%TelegramDv$ 0x155db:$x5: KeyLoggerEventArgs 0x15970:$x5: KeyLoggerEventArgs 0x19368:$m2: Clipboard Logs ID 0x195a6:$m2: Screenshot Logs ID 0x196b6:$m2: keystroke Logs ID 0x19990:$m3: SnakePW 0x1957e:$m4: \SnakeKeylogger\
00000003.00000002.1172782030.0000000002801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x280fa8:$a1: get_encryptedPassword 0x2a0fc8:$a1: get_encryptedPassword 0x28128c:$a2: get_encryptedUsername 0x2a12ac:$a2: get_encryptedUsername 0x280db4:$a3: get_timePasswordChanged 0x2a0dd4:$a3: get_timePasswordChanged 0x280eaf:$a4: get_passwordField 0x2a0ecf:$a4: get_passwordField 0x280fbe:$a5: set_encryptedPassword 0x2a0fde:$a5: set_encryptedPassword 0x282615:$a7: get_logins 0x2a2635:$a7: get_logins 0x282578:$a10: KeyLoggerEventArgs 0x2a2598:$a10: KeyLoggerEventArgs 0x2821e3:$a11: KeyLoggerEventArgsEventHandler 0x2a2203:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x285fa4:$x1: $%SMTPDV$ 0x2a5fc4:$x1: $%SMTPDV$ 0x284988:$x2: $#TheHashHere%& 0x2a49a8:$x2: $#TheHashHere%& 0x285f4c:$x3: %FTPDV$ 0x2a5f6c:$x3: %FTPDV$ 0x284928:$x4: $%TelegramDv$ 0x2a4948:$x4: $%TelegramDv$ 0x2821e3:$x5: KeyLoggerEventArgs 0x282578:$x5: KeyLoggerEventArgs 0x2a2203:$x5: KeyLoggerEventArgs 0x2a2598:$x5: KeyLoggerEventArgs 0x285f70:$m2: Clipboard Logs ID 0x2861ae:$m2: Screenshot Logs ID 0x2862be:$m2: keystroke Logs ID 0x2a5f90:$m2: Clipboard Logs ID 0x2a61ce:$m2: Screenshot Logs ID 0x2a62de:$m2: keystroke Logs ID 0x286598:$m3: SnakePW 0x2a65b8:$m3: SnakePW 0x286186:$m4: \SnakeKeylogger\
Process Memory Space: C6FGS0I3yn.exe PID: 5288	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: C6FGS0I3yn.exe PID: 5288	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: C6FGS0I3yn.exe PID: 5288	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3dc4e:$a1: get_encryptedPassword 0xd8ab8:$a1: get_encryptedPassword 0x3df28:$a2: get_encryptedUsername 0xd8ca5:$a2: get_encryptedUsername 0x3da64:$a3: get_timePasswordChanged 0xd88e1:$a3: get_timePasswordChanged 0x3db5f:$a4: get_passwordField 0xd89d0:$a4: get_passwordField 0x3dc64:$a5: set_encryptedPassword 0xd8ace:$a5: set_encryptedPassword 0x40112:$a7: get_logins 0xda9fc:$a7: get_logins 0x40075:$a10: KeyLoggerEventArgs 0xda974:$a10: KeyLoggerEventArgs 0x3fce0:$a11: KeyLoggerEventArgsEventHandler 0xda6ff:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: C6FGS0I3yn.exe PID: 5288	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3fce0:$x5: KeyLoggerEventArgs 0x40075:$x5: KeyLoggerEventArgs 0x4097c:$x5: KeyLoggerEventArgs 0x40cdd:$x5: KeyLoggerEventArgs 0xda6ff:$x5: KeyLoggerEventArgs 0xda974:$x5: KeyLoggerEventArgs 0xdb199:$x5: KeyLoggerEventArgs 0xdb4fa:$x5: KeyLoggerEventArgs 0x422a0:$m2: Clipboard Logs ID 0x423a6:$m2: Screenshot Logs ID 0x423fc:$m2: keystroke Logs ID 0xdca6e:$m2: Clipboard Logs ID 0xdcb74:$m2: Screenshot Logs ID 0xdcbca:$m2: keystroke Logs ID 0x42531:$m3: SnakePW 0xdccff:$m3: SnakePW 0x42392:$m4: \SnakeKeylogger\ 0xdcb60:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 2724	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 2724	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1391:$a1: get_encryptedPassword 0x166b:$a2: get_encryptedUsername 0x11a7:$a3: get_timePasswordChanged 0x12a2:$a4: get_passwordField 0x13a7:$a5: set_encryptedPassword 0x3855:$a7: get_logins 0x37b8:$a10: KeyLoggerEventArgs 0x3423:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 2724	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3423:$x5: KeyLoggerEventArgs 0x37b8:$x5: KeyLoggerEventArgs 0x40bf:$x5: KeyLoggerEventArgs 0x4420:$x5: KeyLoggerEventArgs 0x59e3:$m2: Clipboard Logs ID 0x5ae9:$m2: Screenshot Logs ID 0x5b3f:$m2: keystroke Logs ID 0x5c74:$m3: SnakePW 0x5ad5:$m4: \SnakeKeylogger\
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.C6FGS0I3yn.exe.496ea08.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.C6FGS0I3yn.exe.496ea08.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x127a0:$a1: get_encryptedPassword 0x12a84:$a2: get_encryptedUsername 0x125ac:$a3: get_timePasswordChanged 0x126a7:$a4: get_passwordField 0x127b6:$a5: set_encryptedPassword 0x13e0d:$a7: get_logins 0x13d70:$a10: KeyLoggerEventArgs 0x139db:$a11: KeyLoggerEventArgsEventHandler
0.2.C6FGS0I3yn.exe.496ea08.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a162:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19394:$a3: \Google\Chrome\User Data\Default\Login Data 0x197c7:$a4: \Orbitum\User Data\Default\Login Data 0x1a806:$a5: \Kometa\User Data\Default\Login Data
0.2.C6FGS0I3yn.exe.496ea08.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1336d:$s1: UnHook 0x13374:$s2: SetHook 0x1337c:$s3: CallNextHook 0x13389:$s4: _hook
0.2.C6FGS0I3yn.exe.496ea08.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1779c:$x1: $%SMTPDV$ 0x16180:$x2: $#TheHashHere%& 0x17744:$x3: %FTPDV$ 0x16120:$x4: $%TelegramDv$ 0x139db:$x5: KeyLoggerEventArgs 0x13d70:$x5: KeyLoggerEventArgs 0x17768:$m2: Clipboard Logs ID 0x179a6:$m2: Screenshot Logs ID 0x17ab6:$m2: keystroke Logs ID 0x17d90:$m3: SnakePW 0x1797e:$m4: \SnakeKeylogger\
0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145a0:$a1: get_encryptedPassword 0x14884:$a2: get_encryptedUsername 0x143ac:$a3: get_timePasswordChanged 0x144a7:$a4: get_passwordField 0x145b6:$a5: set_encryptedPassword 0x15c0d:$a7: get_logins 0x15b70:$a10: KeyLoggerEventArgs 0x157db:$a11: KeyLoggerEventArgsEventHandler
0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bf62:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b194:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b5c7:$a4: \Orbitum\User Data\Default\Login Data 0x1c606:$a5: \Kometa\User Data\Default\Login Data
0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1516d:$s1: UnHook 0x15174:$s2: SetHook 0x1517c:$s3: CallNextHook 0x15189:$s4: _hook
0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1959c:$x1: $%SMTPDV$ 0x17f80:$x2: $#TheHashHere%& 0x19544:$x3: %FTPDV$ 0x17f20:$x4: $%TelegramDv$ 0x157db:$x5: KeyLoggerEventArgs 0x15b70:$x5: KeyLoggerEventArgs 0x19568:$m2: Clipboard Logs ID 0x197a6:$m2: Screenshot Logs ID 0x198b6:$m2: keystroke Logs ID 0x19b90:$m3: SnakePW 0x1977e:$m4: \SnakeKeylogger\
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145a0:$a1: get_encryptedPassword 0x14884:$a2: get_encryptedUsername 0x143ac:$a3: get_timePasswordChanged 0x144a7:$a4: get_passwordField 0x145b6:$a5: set_encryptedPassword 0x15c0d:$a7: get_logins 0x15b70:$a10: KeyLoggerEventArgs 0x157db:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bf62:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b194:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b5c7:$a4: \Orbitum\User Data\Default\Login Data 0x1c606:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1516d:$s1: UnHook 0x15174:$s2: SetHook 0x1517c:$s3: CallNextHook 0x15189:$s4: _hook
3.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1959c:$x1: $%SMTPDV$ 0x17f80:$x2: $#TheHashHere%& 0x19544:$x3: %FTPDV$ 0x17f20:$x4: $%TelegramDv$ 0x157db:$x5: KeyLoggerEventArgs 0x15b70:$x5: KeyLoggerEventArgs 0x19568:$m2: Clipboard Logs ID 0x197a6:$m2: Screenshot Logs ID 0x198b6:$m2: keystroke Logs ID 0x19b90:$m3: SnakePW 0x1977e:$m4: \SnakeKeylogger\
0.2.C6FGS0I3yn.exe.3eca508.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.C6FGS0I3yn.exe.3eca508.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x127a0:$a1: get_encryptedPassword 0x12a84:$a2: get_encryptedUsername 0x125ac:$a3: get_timePasswordChanged 0x126a7:$a4: get_passwordField 0x127b6:$a5: set_encryptedPassword 0x13e0d:$a7: get_logins 0x13d70:$a10: KeyLoggerEventArgs 0x139db:$a11: KeyLoggerEventArgsEventHandler
0.2.C6FGS0I3yn.exe.3eca508.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a162:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19394:$a3: \Google\Chrome\User Data\Default\Login Data 0x197c7:$a4: \Orbitum\User Data\Default\Login Data 0x1a806:$a5: \Kometa\User Data\Default\Login Data
0.2.C6FGS0I3yn.exe.3eca508.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1336d:$s1: UnHook 0x13374:$s2: SetHook 0x1337c:$s3: CallNextHook 0x13389:$s4: _hook
0.2.C6FGS0I3yn.exe.3eca508.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1779c:$x1: $%SMTPDV$ 0x16180:$x2: $#TheHashHere%& 0x17744:$x3: %FTPDV$ 0x16120:$x4: $%TelegramDv$ 0x139db:$x5: KeyLoggerEventArgs 0x13d70:$x5: KeyLoggerEventArgs 0x17768:$m2: Clipboard Logs ID 0x179a6:$m2: Screenshot Logs ID 0x17ab6:$m2: keystroke Logs ID 0x17d90:$m3: SnakePW 0x1797e:$m4: \SnakeKeylogger\
0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x145a0:$a1: get_encryptedPassword 0x345c0:$a1: get_encryptedPassword 0x14884:$a2: get_encryptedUsername 0x348a4:$a2: get_encryptedUsername 0x143ac:$a3: get_timePasswordChanged 0x343cc:$a3: get_timePasswordChanged 0x144a7:$a4: get_passwordField 0x344c7:$a4: get_passwordField 0x145b6:$a5: set_encryptedPassword 0x345d6:$a5: set_encryptedPassword 0x15c0d:$a7: get_logins 0x35c2d:$a7: get_logins 0x15b70:$a10: KeyLoggerEventArgs 0x35b90:$a10: KeyLoggerEventArgs 0x157db:$a11: KeyLoggerEventArgsEventHandler 0x357fb:$a11: KeyLoggerEventArgsEventHandler
0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bf62:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bf82:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b194:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b1b4:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b5c7:$a4: \Orbitum\User Data\Default\Login Data 0x3b5e7:$a4: \Orbitum\User Data\Default\Login Data 0x1c606:$a5: \Kometa\User Data\Default\Login Data 0x3c626:$a5: \Kometa\User Data\Default\Login Data
0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x1516d:$s1: UnHook 0x3518d:$s1: UnHook 0x15174:$s2: SetHook 0x35194:$s2: SetHook 0x1517c:$s3: CallNextHook 0x3519c:$s3: CallNextHook 0x15189:$s4: _hook 0x351a9:$s4: _hook
0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1959c:$x1: $%SMTPDV$ 0x395bc:$x1: $%SMTPDV$ 0x17f80:$x2: $#TheHashHere%& 0x37fa0:$x2: $#TheHashHere%& 0x19544:$x3: %FTPDV$ 0x39564:$x3: %FTPDV$ 0x17f20:$x4: $%TelegramDv$ 0x37f40:$x4: $%TelegramDv$ 0x157db:$x5: KeyLoggerEventArgs 0x15b70:$x5: KeyLoggerEventArgs 0x357fb:$x5: KeyLoggerEventArgs 0x35b90:$x5: KeyLoggerEventArgs 0x19568:$m2: Clipboard Logs ID 0x197a6:$m2: Screenshot Logs ID 0x198b6:$m2: keystroke Logs ID 0x39588:$m2: Clipboard Logs ID 0x397c6:$m2: Screenshot Logs ID 0x398d6:$m2: keystroke Logs ID 0x19b90:$m3: SnakePW 0x39bb0:$m3: SnakePW 0x1977e:$m4: \SnakeKeylogger\
0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x78dc0:$a1: get_encryptedPassword 0x98de0:$a1: get_encryptedPassword 0x790a4:$a2: get_encryptedUsername 0x990c4:$a2: get_encryptedUsername 0x78bcc:$a3: get_timePasswordChanged 0x98bec:$a3: get_timePasswordChanged 0x78cc7:$a4: get_passwordField 0x98ce7:$a4: get_passwordField 0x78dd6:$a5: set_encryptedPassword 0x98df6:$a5: set_encryptedPassword 0x7a42d:$a7: get_logins 0x9a44d:$a7: get_logins 0x7a390:$a10: KeyLoggerEventArgs 0x9a3b0:$a10: KeyLoggerEventArgs 0x79ffb:$a11: KeyLoggerEventArgsEventHandler 0x9a01b:$a11: KeyLoggerEventArgsEventHandler
0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x80782:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xa07a2:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7f9b4:$a3: \Google\Chrome\User Data\Default\Login Data 0x9f9d4:$a3: \Google\Chrome\User Data\Default\Login Data 0x7fde7:$a4: \Orbitum\User Data\Default\Login Data 0x9fe07:$a4: \Orbitum\User Data\Default\Login Data 0x80e26:$a5: \Kometa\User Data\Default\Login Data 0xa0e46:$a5: \Kometa\User Data\Default\Login Data
0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x7998d:$s1: UnHook 0x999ad:$s1: UnHook 0x79994:$s2: SetHook 0x999b4:$s2: SetHook 0x7999c:$s3: CallNextHook 0x999bc:$s3: CallNextHook 0x799a9:$s4: _hook 0x999c9:$s4: _hook
0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x7ddbc:$x1: $%SMTPDV$ 0x9dddc:$x1: $%SMTPDV$ 0x7c7a0:$x2: $#TheHashHere%& 0x9c7c0:$x2: $#TheHashHere%& 0x7dd64:$x3: %FTPDV$ 0x9dd84:$x3: %FTPDV$ 0x7c740:$x4: $%TelegramDv$ 0x9c760:$x4: $%TelegramDv$ 0x79ffb:$x5: KeyLoggerEventArgs 0x7a390:$x5: KeyLoggerEventArgs 0x9a01b:$x5: KeyLoggerEventArgs 0x9a3b0:$x5: KeyLoggerEventArgs 0x7dd88:$m2: Clipboard Logs ID 0x7dfc6:$m2: Screenshot Logs ID 0x7e0d6:$m2: keystroke Logs ID 0x9dda8:$m2: Clipboard Logs ID 0x9dfe6:$m2: Screenshot Logs ID 0x9e0f6:$m2: keystroke Logs ID 0x7e3b0:$m3: SnakePW 0x9e3d0:$m3: SnakePW 0x7df9e:$m4: \SnakeKeylogger\
0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdd5e0:$a1: get_encryptedPassword 0xfd600:$a1: get_encryptedPassword 0xdd8c4:$a2: get_encryptedUsername 0xfd8e4:$a2: get_encryptedUsername 0xdd3ec:$a3: get_timePasswordChanged 0xfd40c:$a3: get_timePasswordChanged 0xdd4e7:$a4: get_passwordField 0xfd507:$a4: get_passwordField 0xdd5f6:$a5: set_encryptedPassword 0xfd616:$a5: set_encryptedPassword 0xdec4d:$a7: get_logins 0xfec6d:$a7: get_logins 0xdebb0:$a10: KeyLoggerEventArgs 0xfebd0:$a10: KeyLoggerEventArgs 0xde81b:$a11: KeyLoggerEventArgsEventHandler 0xfe83b:$a11: KeyLoggerEventArgsEventHandler
0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xde1ad:$s1: UnHook 0xfe1cd:$s1: UnHook 0xde1b4:$s2: SetHook 0xfe1d4:$s2: SetHook 0xde1bc:$s3: CallNextHook 0xfe1dc:$s3: CallNextHook 0xde1c9:$s4: _hook 0xfe1e9:$s4: _hook
0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0xe25dc:$x1: $%SMTPDV$ 0x1025fc:$x1: $%SMTPDV$ 0xe0fc0:$x2: $#TheHashHere%& 0x100fe0:$x2: $#TheHashHere%& 0xe2584:$x3: %FTPDV$ 0x1025a4:$x3: %FTPDV$ 0xe0f60:$x4: $%TelegramDv$ 0x100f80:$x4: $%TelegramDv$ 0xde81b:$x5: KeyLoggerEventArgs 0xdebb0:$x5: KeyLoggerEventArgs 0xfe83b:$x5: KeyLoggerEventArgs 0xfebd0:$x5: KeyLoggerEventArgs 0xe25a8:$m2: Clipboard Logs ID 0xe27e6:$m2: Screenshot Logs ID 0xe28f6:$m2: keystroke Logs ID 0x1025c8:$m2: Clipboard Logs ID 0x102806:$m2: Screenshot Logs ID 0x102916:$m2: keystroke Logs ID 0xe2bd0:$m3: SnakePW 0x102bf0:$m3: SnakePW 0xe27be:$m4: \SnakeKeylogger\
Click to see the 29 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\C6FGS0I3yn.exe", ParentImage: C:\Users\user\Desktop\C6FGS0I3yn.exe, ParentProcessId: 5288, ParentProcessName: C6FGS0I3yn.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe", ProcessId: 3556, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\C6FGS0I3yn.exe", ParentImage: C:\Users\user\Desktop\C6FGS0I3yn.exe, ParentProcessId: 5288, ParentProcessName: C6FGS0I3yn.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe", ProcessId: 3556, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3656, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:47:21.762509+0100	2803305	3	Unknown Traffic	192.168.2.8	49685	104.21.112.1	443	TCP
2025-03-07T15:47:28.302779+0100	2803305	3	Unknown Traffic	192.168.2.8	49689	104.21.112.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T15:47:16.548545+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49683	132.226.247.73	80	TCP
2025-03-07T15:47:19.376686+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49683	132.226.247.73	80	TCP
2025-03-07T15:47:22.564249+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49686	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: C6FGS0I3yn.exe

Avira: detected

Found malware configuration

Source: 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY/sendMessage?chat_id=5600682828", "Token": "7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY", "Chat_id": "5600682828", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: C6FGS0I3yn.exe	Virustotal: Detection: 80%			Perma Link
Source: C6FGS0I3yn.exe	ReversingLabs: Detection: 71%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack	String decryptor:
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack	String decryptor: 7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack	String decryptor: 5600682828
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack	String decryptor:
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack	String decryptor: 7979504653:AAFm_-f-R46w_TvBkt1kfgnnTRSttNIPYiY
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack	String decryptor: 5600682828

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C6FGS0I3yn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.8:49684 version: TLS 1.0

Source: C6FGS0I3yn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49686 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49683 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49689 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49685 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.8:49684 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000003.00000002.1172782030.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002976000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.000000000295B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.1172782030.000000000290B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002976000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.000000000295B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002992000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.1172782030.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.1174645926.0000000005DEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m3
Source: svchost.exe, 00000009.00000002.2144748423.000001A66AA8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.9.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.9.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: RegSvcs.exe, 00000003.00000002.1172782030.00000000029B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002976000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.000000000295B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org0
Source: C6FGS0I3yn.exe, 00000000.00000002.911841181.0000000003081000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: C6FGS0I3yn.exe	String found in binary or memory: http://tempuri.org/Polly_PipeDataSet.xsd
Source: edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000009.00000003.1209771138.000001A66A830000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: RegSvcs.exe, 00000003.00000002.1172782030.000000000290B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002976000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.000000000295B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000028C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000003.00000002.1172782030.000000000290B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002976000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.000000000295B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.C6FGS0I3yn.exe.496ea08.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: C6FGS0I3yn.exe PID: 5288, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: C6FGS0I3yn.exe PID: 5288, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_02CAE02C	0_2_02CAE02C
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_071FA658	0_2_071FA658
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_071FEBE0	0_2_071FEBE0
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_071FB928	0_2_071FB928
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_071FA64B	0_2_071FA64B
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_071FDF68	0_2_071FDF68
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_071FEEB8	0_2_071FEEB8
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_071FEEC8	0_2_071FEEC8
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_071FEBD2	0_2_071FEBD2
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_071FB918	0_2_071FB918
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_0747C530	0_2_0747C530
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_0747A5B8	0_2_0747A5B8
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_07476500	0_2_07476500
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_0747A5A8	0_2_0747A5A8
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_074781E0	0_2_074781E0
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_074760C8	0_2_074760C8
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_07475C82	0_2_07475C82
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_07475C90	0_2_07475C90
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_07472BE8	0_2_07472BE8
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_07476938	0_2_07476938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D5C190	3_2_00D5C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D56108	3_2_00D56108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D5B328	3_2_00D5B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D5C470	3_2_00D5C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D5C751	3_2_00D5C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D56880	3_2_00D56880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D59858	3_2_00D59858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D54AD9	3_2_00D54AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D5CA31	3_2_00D5CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D5BBD2	3_2_00D5BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D5BEB0	3_2_00D5BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D5B4F3	3_2_00D5B4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00D53570	3_2_00D53570

Source: C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs C6FGS0I3yn.exe
Source: C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs C6FGS0I3yn.exe
Source: C6FGS0I3yn.exe, 00000000.00000002.918270663.00000000070D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs C6FGS0I3yn.exe
Source: C6FGS0I3yn.exe, 00000000.00000000.896077237.0000000000A8C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameJdxr.exe6 vs C6FGS0I3yn.exe
Source: C6FGS0I3yn.exe, 00000000.00000002.911841181.0000000003081000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs C6FGS0I3yn.exe
Source: C6FGS0I3yn.exe, 00000000.00000002.908270008.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs C6FGS0I3yn.exe
Source: C6FGS0I3yn.exe, 00000000.00000002.919446081.0000000007AC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs C6FGS0I3yn.exe
Source: C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs C6FGS0I3yn.exe
Source: C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs C6FGS0I3yn.exe
Source: C6FGS0I3yn.exe	Binary or memory string: OriginalFilenameJdxr.exe6 vs C6FGS0I3yn.exe

Source: C6FGS0I3yn.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.C6FGS0I3yn.exe.496ea08.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: C6FGS0I3yn.exe PID: 5288, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: C6FGS0I3yn.exe PID: 5288, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, ----.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, --.cs	Base64 encoded string: 'iPtLpST0aj+I0ixxeFjViuaS7YVM368XThGpa5S96Po307yPMViuqHh6WHInohBe'
Source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, --.cs	Base64 encoded string: 'iPtLpST0aj+I0ixxeFjViuaS7YVM368XThGpa5S96Po307yPMViuqHh6WHInohBe'

Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, vAUK21M9krnTHyoo0h.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, vAUK21M9krnTHyoo0h.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, vAUK21M9krnTHyoo0h.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, R3eM7wFYvi5Gx34BDa.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, R3eM7wFYvi5Gx34BDa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, vAUK21M9krnTHyoo0h.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, vAUK21M9krnTHyoo0h.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, vAUK21M9krnTHyoo0h.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, vAUK21M9krnTHyoo0h.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, vAUK21M9krnTHyoo0h.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, vAUK21M9krnTHyoo0h.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, R3eM7wFYvi5Gx34BDa.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, R3eM7wFYvi5Gx34BDa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, R3eM7wFYvi5Gx34BDa.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, R3eM7wFYvi5Gx34BDa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/11@2/3

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C6FGS0I3yn.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyplobmg.3kr.ps1

Jump to behavior

Source: C6FGS0I3yn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C6FGS0I3yn.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C6FGS0I3yn.exe	Virustotal: Detection: 80%
Source: C6FGS0I3yn.exe	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\C6FGS0I3yn.exe "C:\Users\user\Desktop\C6FGS0I3yn.exe"
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C6FGS0I3yn.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C6FGS0I3yn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, vAUK21M9krnTHyoo0h.cs	.Net Code: Xd4RmG5ifb System.Reflection.Assembly.Load(byte[])
Source: 0.2.C6FGS0I3yn.exe.70d0000.4.raw.unpack, MainForm.cs	.Net Code: _202D_206F_202D_200E_202A_206C_202A_202A_206D_200D_206C_206A_206A_202D_200D_206A_200D_200C_200E_200F_206B_206A_206B_202D_206A_206E_206C_200C_202E_200D_206B_206A_206A_206B_200F_202B_200C_202B_200E_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, vAUK21M9krnTHyoo0h.cs	.Net Code: Xd4RmG5ifb System.Reflection.Assembly.Load(byte[])
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, vAUK21M9krnTHyoo0h.cs	.Net Code: Xd4RmG5ifb System.Reflection.Assembly.Load(byte[])

Source: C6FGS0I3yn.exe

Static PE information: 0x84FBAC30 [Wed Sep 12 18:08:48 2040 UTC]

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_02CA01A5 push esp; retf	0_2_02CA01B3
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_071F2713 push F0059B8Fh; ret	0_2_071F271D
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_071F9988 push eax; iretd	0_2_071F9989
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Code function: 0_2_0747B540 push esp; ret	0_2_0747B541

Source: C6FGS0I3yn.exe

Static PE information: section name: .text entropy: 7.122195322883306

Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, B6YAibJ4rt238Z3eak.cs	High entropy of concatenated method names: 'LaaT1gXYpN', 'j26TtsGew4', 'Vw2TwRAu6n', 'NjdTUfhrbt', 'Cw9TyISUJW', 'IYATYnsmE3', 'e0wT0DuMJR', 'mfbTeKLuK9', 'fuNTDxnAFA', 'gB6TBrmUY0'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, Y9WsvEaTusRjfejOBn.cs	High entropy of concatenated method names: 'gZ4KBXFmq3', 'SeAKhsT4X6', 'F1RKa23VP1', 'ATCKfTo8xx', 'Ts0KtyF3vX', 'kfdKwe6uBi', 'O9MKUcM0Tg', 'FYaKynQVoe', 'f5bKYp4ujk', 'dKJK0IaGLS'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, iuVaHb1lKb4HSQ5CCF.cs	High entropy of concatenated method names: 'JHPpLgy05R', 'XHwp8VXGke', 'F6JpP07XUL', 'uWxpZ6MX7v', 'lmPpMhUho6', 'zVkPQIQFsI', 'AHNP4pCjeR', 'aBiPgLiR20', 'GVuPsnTNuo', 'b4aPJesiBB'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, RWul7X43grKBeY6BJ0.cs	High entropy of concatenated method names: 'SEGxsrL7ue', 'NIrxIo3Jdw', 'zOLG9XIDZ8', 'rCXG6dk4u1', 'vZbx7YeRDF', 'U2KxhkEIPx', 'lO3xXPWi30', 'tQNxaYOvra', 'PP0xfK3dJR', 'TLMxcl1Yky'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, IH09UK88wjK8xa74Tk.cs	High entropy of concatenated method names: 'Dispose', 'sOR6JELWoc', 'gLEqtZ7iYo', 'tVn5eepjgA', 'yYX6I2g2TZ', 'YuA6zDIBDB', 'ProcessDialogKey', 'wCNq96YAib', 'Vrtq6238Z3', 'Makqq3us3X'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, CkRNbM6RdvuHW5EAMif.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HLSCTpUnhu', 'ObECO6aE3v', 'P7rCH33fUt', 'EiECCVN4OA', 'TYZCorkO45', 'yeWC5rw76X', 'GueCdHJUkT'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, k8UIKcEcW0vaJk0Ner.cs	High entropy of concatenated method names: 'sGOxjhwWKN', 'SLRxWoQ6yV', 'ToString', 'nY1xkXfE8R', 'cyHx824aVd', 'W25x3xy2jn', 'nC3xPEEjBP', 'QDnxpO7Yck', 'mv6xZH8i2b', 'PnrxM1uac8'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, yIjb8cRbFoDJJAvole.cs	High entropy of concatenated method names: 'Off6Z3eM7w', 'Kvi6M5Gx34', 'UxD6jw6pV8', 'Vqe6Wd6ikn', 'fbZ6KCspuV', 'QHb6blKb4H', 'xOSojJnVXL5j9C9gAD', 'iuD8fwlUfYgmnOqPMa', 'HiL66xgRj6', 'Pwf6SEW2TX'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, Ej17CY698EAR6OTErmH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vubO7hMA6O', 'NGTOhH9iTg', 'MaiOXrGbYT', 'wRgOaB9mGr', 'GdpOfOLAQS', 'NpAOcyYXFI', 'd14OEdp58l'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, turBs2qpOIodAbBIqq.cs	High entropy of concatenated method names: 'nk7ml4LHR', 'sTFijUr5g', 'dyRrMGcjK', 'BQv2Lj292', 'HVSvmidcS', 'YfUVRZT4U', 'g3wHKNT6aXhPV3xsHw', 'kHImIY0mUXd9WAQyYb', 'DuaGll6L3', 'kHSOTj3RF'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, bikntIVOoR0BV8bZCs.cs	High entropy of concatenated method names: 'V7xPNxxV76', 'CcuP2EAT8C', 'wy53wC8PiY', 'V3Z3UfWAO5', 'rlI3y9KOxE', 'sgY3Y5DPIs', 'BEA30jdNY6', 'zFy3eNLKBF', 'cLb3D0WM76', 'EAL3B9jlub'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, HJqRcZz65iCgy2eXs0.cs	High entropy of concatenated method names: 'mh4OrCFyTa', 'rb5OFnY8D7', 'YVZOv46ZOS', 'bZJO1DRqq1', 'rSGOtHTZuG', 'EfMOU4nJo0', 'WGwOy0msC9', 'ni7Od99xWq', 'jNWOAYG8sk', 'c9SOnsvQAE'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, TJBYWiX29bNkbXktvj.cs	High entropy of concatenated method names: 'PDKlF0Mcsx', 'I2vlvCB4fv', 'U1il1s9dDv', 'C6hltFygF1', 'taxlUpuUFj', 'CbQly8OdUi', 'Q4kl0FKWQd', 'yOCleRsnLp', 'QMJlBTmNO9', 'Hk4l7Zk0b7'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, vAUK21M9krnTHyoo0h.cs	High entropy of concatenated method names: 'EhMSLhITeY', 'MaESkbd6Dh', 'rpAS8AUX7H', 'A68S3B4bid', 'GHXSP0asV2', 'r5OSpOA8UT', 'nEBSZw8Xmw', 'P5jSMniPJi', 'CyNSu0sMcB', 'DK5Sjkmta5'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, VGnSyQvxDw6pV8gqed.cs	High entropy of concatenated method names: 'x283ifrDPX', 'awE3r5vPdO', 'g9T3Fb2E4C', 'XFS3vw1Aqw', 'oai3K2Pvdl', 'sjR3b2KfLw', 'Wk53xMW7C0', 'YAy3GShIiH', 'CDO3TnD508', 'WTy3Ohri1B'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, tlsFHRgtBOORELWocn.cs	High entropy of concatenated method names: 'eAZTKZcdx9', 'XXYTxmfAh4', 'VNCTT9Dko1', 'GfgTHs5QE1', 'XgoToeBIQ2', 'GIYTdL6vr8', 'Dispose', 'macGk9hbhK', 'yTSG8lATE3', 'YlMG3lmnPJ'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, WjVXsT0mG4wgUjSHIl.cs	High entropy of concatenated method names: 'KFSZkKURZl', 'mL3Z3yGwwX', 'T0oZp4ioDu', 'jHrpIxrpgt', 'PwPpzoNCtw', 'JKLZ9Gjm2w', 'qwNZ6IBmZT', 'wJYZqpiL3r', 'BNMZS5owOB', 'M8lZReoUcP'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, CQs2x866YwfdNKuYEeg.cs	High entropy of concatenated method names: 'VGSOIsYk7k', 'OvNOzAYNH2', 'LX3H9QFPvs', 'EL3H6v9xr6', 'lyKHq7fBYu', 'GfGHSn0Y54', 'L1mHRADGwO', 'iFeHLFv0x6', 'PCWHkD6KgH', 'CTaH83WJeQ'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, zKLY8HDM5JdSklXI0g.cs	High entropy of concatenated method names: 'YFKZA0WKdK', 'HUwZnrgq3C', 'EBhZmpNNkx', 'MFDZixQppD', 'IaKZNwyvh4', 'iBTZr7pCfV', 'JiaZ2kWWMA', 'lY8ZFXEQZG', 'Fe2ZvuaCwO', 'VOQZVTSN9d'
Source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, R3eM7wFYvi5Gx34BDa.cs	High entropy of concatenated method names: 'Q978a5MmSD', 'IBB8f3dxkx', 'KqF8co7pV0', 'Qup8EQanoq', 'tg38Qp2AKs', 'Cmm84L2EZr', 'UGJ8g7Cjdr', 'TAe8sWNryb', 'Vai8JH8Wdw', 'Iba8It7d81'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, B6YAibJ4rt238Z3eak.cs	High entropy of concatenated method names: 'LaaT1gXYpN', 'j26TtsGew4', 'Vw2TwRAu6n', 'NjdTUfhrbt', 'Cw9TyISUJW', 'IYATYnsmE3', 'e0wT0DuMJR', 'mfbTeKLuK9', 'fuNTDxnAFA', 'gB6TBrmUY0'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, Y9WsvEaTusRjfejOBn.cs	High entropy of concatenated method names: 'gZ4KBXFmq3', 'SeAKhsT4X6', 'F1RKa23VP1', 'ATCKfTo8xx', 'Ts0KtyF3vX', 'kfdKwe6uBi', 'O9MKUcM0Tg', 'FYaKynQVoe', 'f5bKYp4ujk', 'dKJK0IaGLS'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, iuVaHb1lKb4HSQ5CCF.cs	High entropy of concatenated method names: 'JHPpLgy05R', 'XHwp8VXGke', 'F6JpP07XUL', 'uWxpZ6MX7v', 'lmPpMhUho6', 'zVkPQIQFsI', 'AHNP4pCjeR', 'aBiPgLiR20', 'GVuPsnTNuo', 'b4aPJesiBB'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, RWul7X43grKBeY6BJ0.cs	High entropy of concatenated method names: 'SEGxsrL7ue', 'NIrxIo3Jdw', 'zOLG9XIDZ8', 'rCXG6dk4u1', 'vZbx7YeRDF', 'U2KxhkEIPx', 'lO3xXPWi30', 'tQNxaYOvra', 'PP0xfK3dJR', 'TLMxcl1Yky'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, IH09UK88wjK8xa74Tk.cs	High entropy of concatenated method names: 'Dispose', 'sOR6JELWoc', 'gLEqtZ7iYo', 'tVn5eepjgA', 'yYX6I2g2TZ', 'YuA6zDIBDB', 'ProcessDialogKey', 'wCNq96YAib', 'Vrtq6238Z3', 'Makqq3us3X'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, CkRNbM6RdvuHW5EAMif.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HLSCTpUnhu', 'ObECO6aE3v', 'P7rCH33fUt', 'EiECCVN4OA', 'TYZCorkO45', 'yeWC5rw76X', 'GueCdHJUkT'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, k8UIKcEcW0vaJk0Ner.cs	High entropy of concatenated method names: 'sGOxjhwWKN', 'SLRxWoQ6yV', 'ToString', 'nY1xkXfE8R', 'cyHx824aVd', 'W25x3xy2jn', 'nC3xPEEjBP', 'QDnxpO7Yck', 'mv6xZH8i2b', 'PnrxM1uac8'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, yIjb8cRbFoDJJAvole.cs	High entropy of concatenated method names: 'Off6Z3eM7w', 'Kvi6M5Gx34', 'UxD6jw6pV8', 'Vqe6Wd6ikn', 'fbZ6KCspuV', 'QHb6blKb4H', 'xOSojJnVXL5j9C9gAD', 'iuD8fwlUfYgmnOqPMa', 'HiL66xgRj6', 'Pwf6SEW2TX'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, Ej17CY698EAR6OTErmH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vubO7hMA6O', 'NGTOhH9iTg', 'MaiOXrGbYT', 'wRgOaB9mGr', 'GdpOfOLAQS', 'NpAOcyYXFI', 'd14OEdp58l'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, turBs2qpOIodAbBIqq.cs	High entropy of concatenated method names: 'nk7ml4LHR', 'sTFijUr5g', 'dyRrMGcjK', 'BQv2Lj292', 'HVSvmidcS', 'YfUVRZT4U', 'g3wHKNT6aXhPV3xsHw', 'kHImIY0mUXd9WAQyYb', 'DuaGll6L3', 'kHSOTj3RF'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, bikntIVOoR0BV8bZCs.cs	High entropy of concatenated method names: 'V7xPNxxV76', 'CcuP2EAT8C', 'wy53wC8PiY', 'V3Z3UfWAO5', 'rlI3y9KOxE', 'sgY3Y5DPIs', 'BEA30jdNY6', 'zFy3eNLKBF', 'cLb3D0WM76', 'EAL3B9jlub'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, HJqRcZz65iCgy2eXs0.cs	High entropy of concatenated method names: 'mh4OrCFyTa', 'rb5OFnY8D7', 'YVZOv46ZOS', 'bZJO1DRqq1', 'rSGOtHTZuG', 'EfMOU4nJo0', 'WGwOy0msC9', 'ni7Od99xWq', 'jNWOAYG8sk', 'c9SOnsvQAE'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, TJBYWiX29bNkbXktvj.cs	High entropy of concatenated method names: 'PDKlF0Mcsx', 'I2vlvCB4fv', 'U1il1s9dDv', 'C6hltFygF1', 'taxlUpuUFj', 'CbQly8OdUi', 'Q4kl0FKWQd', 'yOCleRsnLp', 'QMJlBTmNO9', 'Hk4l7Zk0b7'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, vAUK21M9krnTHyoo0h.cs	High entropy of concatenated method names: 'EhMSLhITeY', 'MaESkbd6Dh', 'rpAS8AUX7H', 'A68S3B4bid', 'GHXSP0asV2', 'r5OSpOA8UT', 'nEBSZw8Xmw', 'P5jSMniPJi', 'CyNSu0sMcB', 'DK5Sjkmta5'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, VGnSyQvxDw6pV8gqed.cs	High entropy of concatenated method names: 'x283ifrDPX', 'awE3r5vPdO', 'g9T3Fb2E4C', 'XFS3vw1Aqw', 'oai3K2Pvdl', 'sjR3b2KfLw', 'Wk53xMW7C0', 'YAy3GShIiH', 'CDO3TnD508', 'WTy3Ohri1B'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, tlsFHRgtBOORELWocn.cs	High entropy of concatenated method names: 'eAZTKZcdx9', 'XXYTxmfAh4', 'VNCTT9Dko1', 'GfgTHs5QE1', 'XgoToeBIQ2', 'GIYTdL6vr8', 'Dispose', 'macGk9hbhK', 'yTSG8lATE3', 'YlMG3lmnPJ'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, WjVXsT0mG4wgUjSHIl.cs	High entropy of concatenated method names: 'KFSZkKURZl', 'mL3Z3yGwwX', 'T0oZp4ioDu', 'jHrpIxrpgt', 'PwPpzoNCtw', 'JKLZ9Gjm2w', 'qwNZ6IBmZT', 'wJYZqpiL3r', 'BNMZS5owOB', 'M8lZReoUcP'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, CQs2x866YwfdNKuYEeg.cs	High entropy of concatenated method names: 'VGSOIsYk7k', 'OvNOzAYNH2', 'LX3H9QFPvs', 'EL3H6v9xr6', 'lyKHq7fBYu', 'GfGHSn0Y54', 'L1mHRADGwO', 'iFeHLFv0x6', 'PCWHkD6KgH', 'CTaH83WJeQ'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, zKLY8HDM5JdSklXI0g.cs	High entropy of concatenated method names: 'YFKZA0WKdK', 'HUwZnrgq3C', 'EBhZmpNNkx', 'MFDZixQppD', 'IaKZNwyvh4', 'iBTZr7pCfV', 'JiaZ2kWWMA', 'lY8ZFXEQZG', 'Fe2ZvuaCwO', 'VOQZVTSN9d'
Source: 0.2.C6FGS0I3yn.exe.7ac0000.5.raw.unpack, R3eM7wFYvi5Gx34BDa.cs	High entropy of concatenated method names: 'Q978a5MmSD', 'IBB8f3dxkx', 'KqF8co7pV0', 'Qup8EQanoq', 'tg38Qp2AKs', 'Cmm84L2EZr', 'UGJ8g7Cjdr', 'TAe8sWNryb', 'Vai8JH8Wdw', 'Iba8It7d81'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, B6YAibJ4rt238Z3eak.cs	High entropy of concatenated method names: 'LaaT1gXYpN', 'j26TtsGew4', 'Vw2TwRAu6n', 'NjdTUfhrbt', 'Cw9TyISUJW', 'IYATYnsmE3', 'e0wT0DuMJR', 'mfbTeKLuK9', 'fuNTDxnAFA', 'gB6TBrmUY0'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, Y9WsvEaTusRjfejOBn.cs	High entropy of concatenated method names: 'gZ4KBXFmq3', 'SeAKhsT4X6', 'F1RKa23VP1', 'ATCKfTo8xx', 'Ts0KtyF3vX', 'kfdKwe6uBi', 'O9MKUcM0Tg', 'FYaKynQVoe', 'f5bKYp4ujk', 'dKJK0IaGLS'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, iuVaHb1lKb4HSQ5CCF.cs	High entropy of concatenated method names: 'JHPpLgy05R', 'XHwp8VXGke', 'F6JpP07XUL', 'uWxpZ6MX7v', 'lmPpMhUho6', 'zVkPQIQFsI', 'AHNP4pCjeR', 'aBiPgLiR20', 'GVuPsnTNuo', 'b4aPJesiBB'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, RWul7X43grKBeY6BJ0.cs	High entropy of concatenated method names: 'SEGxsrL7ue', 'NIrxIo3Jdw', 'zOLG9XIDZ8', 'rCXG6dk4u1', 'vZbx7YeRDF', 'U2KxhkEIPx', 'lO3xXPWi30', 'tQNxaYOvra', 'PP0xfK3dJR', 'TLMxcl1Yky'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, IH09UK88wjK8xa74Tk.cs	High entropy of concatenated method names: 'Dispose', 'sOR6JELWoc', 'gLEqtZ7iYo', 'tVn5eepjgA', 'yYX6I2g2TZ', 'YuA6zDIBDB', 'ProcessDialogKey', 'wCNq96YAib', 'Vrtq6238Z3', 'Makqq3us3X'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, CkRNbM6RdvuHW5EAMif.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HLSCTpUnhu', 'ObECO6aE3v', 'P7rCH33fUt', 'EiECCVN4OA', 'TYZCorkO45', 'yeWC5rw76X', 'GueCdHJUkT'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, k8UIKcEcW0vaJk0Ner.cs	High entropy of concatenated method names: 'sGOxjhwWKN', 'SLRxWoQ6yV', 'ToString', 'nY1xkXfE8R', 'cyHx824aVd', 'W25x3xy2jn', 'nC3xPEEjBP', 'QDnxpO7Yck', 'mv6xZH8i2b', 'PnrxM1uac8'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, yIjb8cRbFoDJJAvole.cs	High entropy of concatenated method names: 'Off6Z3eM7w', 'Kvi6M5Gx34', 'UxD6jw6pV8', 'Vqe6Wd6ikn', 'fbZ6KCspuV', 'QHb6blKb4H', 'xOSojJnVXL5j9C9gAD', 'iuD8fwlUfYgmnOqPMa', 'HiL66xgRj6', 'Pwf6SEW2TX'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, Ej17CY698EAR6OTErmH.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vubO7hMA6O', 'NGTOhH9iTg', 'MaiOXrGbYT', 'wRgOaB9mGr', 'GdpOfOLAQS', 'NpAOcyYXFI', 'd14OEdp58l'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, turBs2qpOIodAbBIqq.cs	High entropy of concatenated method names: 'nk7ml4LHR', 'sTFijUr5g', 'dyRrMGcjK', 'BQv2Lj292', 'HVSvmidcS', 'YfUVRZT4U', 'g3wHKNT6aXhPV3xsHw', 'kHImIY0mUXd9WAQyYb', 'DuaGll6L3', 'kHSOTj3RF'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, bikntIVOoR0BV8bZCs.cs	High entropy of concatenated method names: 'V7xPNxxV76', 'CcuP2EAT8C', 'wy53wC8PiY', 'V3Z3UfWAO5', 'rlI3y9KOxE', 'sgY3Y5DPIs', 'BEA30jdNY6', 'zFy3eNLKBF', 'cLb3D0WM76', 'EAL3B9jlub'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, HJqRcZz65iCgy2eXs0.cs	High entropy of concatenated method names: 'mh4OrCFyTa', 'rb5OFnY8D7', 'YVZOv46ZOS', 'bZJO1DRqq1', 'rSGOtHTZuG', 'EfMOU4nJo0', 'WGwOy0msC9', 'ni7Od99xWq', 'jNWOAYG8sk', 'c9SOnsvQAE'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, TJBYWiX29bNkbXktvj.cs	High entropy of concatenated method names: 'PDKlF0Mcsx', 'I2vlvCB4fv', 'U1il1s9dDv', 'C6hltFygF1', 'taxlUpuUFj', 'CbQly8OdUi', 'Q4kl0FKWQd', 'yOCleRsnLp', 'QMJlBTmNO9', 'Hk4l7Zk0b7'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, vAUK21M9krnTHyoo0h.cs	High entropy of concatenated method names: 'EhMSLhITeY', 'MaESkbd6Dh', 'rpAS8AUX7H', 'A68S3B4bid', 'GHXSP0asV2', 'r5OSpOA8UT', 'nEBSZw8Xmw', 'P5jSMniPJi', 'CyNSu0sMcB', 'DK5Sjkmta5'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, VGnSyQvxDw6pV8gqed.cs	High entropy of concatenated method names: 'x283ifrDPX', 'awE3r5vPdO', 'g9T3Fb2E4C', 'XFS3vw1Aqw', 'oai3K2Pvdl', 'sjR3b2KfLw', 'Wk53xMW7C0', 'YAy3GShIiH', 'CDO3TnD508', 'WTy3Ohri1B'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, tlsFHRgtBOORELWocn.cs	High entropy of concatenated method names: 'eAZTKZcdx9', 'XXYTxmfAh4', 'VNCTT9Dko1', 'GfgTHs5QE1', 'XgoToeBIQ2', 'GIYTdL6vr8', 'Dispose', 'macGk9hbhK', 'yTSG8lATE3', 'YlMG3lmnPJ'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, WjVXsT0mG4wgUjSHIl.cs	High entropy of concatenated method names: 'KFSZkKURZl', 'mL3Z3yGwwX', 'T0oZp4ioDu', 'jHrpIxrpgt', 'PwPpzoNCtw', 'JKLZ9Gjm2w', 'qwNZ6IBmZT', 'wJYZqpiL3r', 'BNMZS5owOB', 'M8lZReoUcP'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, CQs2x866YwfdNKuYEeg.cs	High entropy of concatenated method names: 'VGSOIsYk7k', 'OvNOzAYNH2', 'LX3H9QFPvs', 'EL3H6v9xr6', 'lyKHq7fBYu', 'GfGHSn0Y54', 'L1mHRADGwO', 'iFeHLFv0x6', 'PCWHkD6KgH', 'CTaH83WJeQ'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, zKLY8HDM5JdSklXI0g.cs	High entropy of concatenated method names: 'YFKZA0WKdK', 'HUwZnrgq3C', 'EBhZmpNNkx', 'MFDZixQppD', 'IaKZNwyvh4', 'iBTZr7pCfV', 'JiaZ2kWWMA', 'lY8ZFXEQZG', 'Fe2ZvuaCwO', 'VOQZVTSN9d'
Source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, R3eM7wFYvi5Gx34BDa.cs	High entropy of concatenated method names: 'Q978a5MmSD', 'IBB8f3dxkx', 'KqF8co7pV0', 'Qup8EQanoq', 'tg38Qp2AKs', 'Cmm84L2EZr', 'UGJ8g7Cjdr', 'TAe8sWNryb', 'Vai8JH8Wdw', 'Iba8It7d81'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: C6FGS0I3yn.exe PID: 5288, type: MEMORYSTR

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory allocated: 13F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory allocated: 9100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory allocated: A100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory allocated: A310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory allocated: B310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory allocated: B720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory allocated: C720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory allocated: D720000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6098	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3626	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1144	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8673	Jump to behavior

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe TID: 5284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4912	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4196	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.1174645926.0000000005DEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2503
Source: svchost.exe, 00000009.00000002.2143217876.000001A66542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2144708803.000001A66AA56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegSvcs.exe, 00000003.00000002.1171339308.00000000009B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe"
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7DF008	Jump to behavior

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3	Jump to behavior

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Queries volume information: C:\Users\user\Desktop\C6FGS0I3yn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\C6FGS0I3yn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\C6FGS0I3yn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.496ea08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.3eca508.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1172782030.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: C6FGS0I3yn.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.496ea08.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.3eca508.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.3eca508.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.496ea08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.490a1e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.C6FGS0I3yn.exe.48a59c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1172782030.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: C6FGS0I3yn.exe PID: 5288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2724, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Software Packing	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C6FGS0I3yn.exe	81%	Virustotal		Browse
C6FGS0I3yn.exe	71%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C6FGS0I3yn.exe	100%	Avira	TR/AD.SnakeStealer.kvrxt

Source	Detection	Scanner	Label	Link
http://crl.m3	0%	Avira URL Cloud	safe
http://reallyfreegeoip.org0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://g.live.com/odclientsettings/Prod/C:	edb.log.9.dr, qmgr.db.9.dr	false		high
http://crl.m3	RegSvcs.exe, 00000003.00000002.1174645926.0000000005DEE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Polly_PipeDataSet.xsd	C6FGS0I3yn.exe	false		high
http://checkip.dyndns.org/q	C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000003.00000002.1172782030.000000000290B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002976000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.000000000295B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.1172782030.00000000029B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002976000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.000000000295B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.1172782030.000000000290B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002976000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.000000000295B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000009.00000002.2144748423.000001A66AA8D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2/C:	svchost.exe, 00000009.00000003.1209771138.000001A66A830000.00000004.00000800.00020000.00000000.sdmp, edb.log.9.dr, qmgr.db.9.dr	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.1172782030.000000000290B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002976000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.000000000295B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002992000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000003.00000002.1172782030.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002976000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002969000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.000000000295B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000029C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org0	RegSvcs.exe, 00000003.00000002.1172782030.0000000002984000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	C6FGS0I3yn.exe, 00000000.00000002.911841181.0000000003081000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.0000000002801000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, C6FGS0I3yn.exe, 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1172782030.00000000028C8000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.112.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631780
Start date and time:	2025-03-07 15:46:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	C6FGS0I3yn.exe renamed because original name is a hash value
Original Sample Name:	ac3e59d452c9afd22e61846b9f5d1b475c0fb1e9ee0a890dea660a61280bce57.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@13/11@2/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 88 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.16.185.191, 23.60.203.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, e16604.f.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, c.pki.goog
Execution Graph export aborted for target RegSvcs.exe, PID 2724 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:47:14	API Interceptor	1x Sleep call for process: C6FGS0I3yn.exe modified
09:47:15	API Interceptor	11x Sleep call for process: powershell.exe modified
09:47:18	API Interceptor	178x Sleep call for process: RegSvcs.exe modified
09:47:44	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	2Stejb80vJ.exe	Get hash	malicious	FormBook	Browse	www.askvtwv8.top/uztg/
	Shipment_Docus_COSCO_20250307_35405649_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	ORDER-000291-XLSX.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	Quotation_Order_Request_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	CACUuGJw8e.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	loveme123ru.ru/PipeAuthmultiwordpress.php
	Udeladelsers21.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.tumbetgirislinki.fit/7tw6/
	http://onedrivesharedfiles.sbs/	Get hash	malicious	DarkCloud	Browse	onedrivesharedfiles.sbs/
	PAYMENT SWIFT COPY.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	scan_0219025_pdf.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	gH68ux6XtG.exe	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
132.226.247.73	ckHregxJIq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	jcHIuFAWdB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.CrypterX-gen.30422.25408.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	z1INVOICE4602-FMT25020147.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Ziraat_Bankasi_Swift_Messaji.png.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Repeat Order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	HAWB772384266855 2846086773 G#U00f6nderinizinETGB .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	MEDUCK217841.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SOA_TONG WOH ENTERPRISE SDN BHD.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rRessourcestyrings.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	ckHregxJIq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PvAmrCZENy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	rjRYMApdf9.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	jcHIuFAWdB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	8JVG9KELay.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	uB9KTHzsXJ.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	HBL NO C-ACC-250002.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.Win32.CrypterX-gen.30422.25408.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	Shipping Document ..exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
reallyfreegeoip.org	ckHregxJIq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	PvAmrCZENy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	rjRYMApdf9.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	jcHIuFAWdB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	8JVG9KELay.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	uB9KTHzsXJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	HBL NO C-ACC-250002.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	SecuriteInfo.com.Win32.CrypterX-gen.30422.25408.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	Shipping Document ..exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	ckHregxJIq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PvAmrCZENy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	jcHIuFAWdB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	uB9KTHzsXJ.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	SecuriteInfo.com.Win32.CrypterX-gen.30422.25408.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	Invoice- Trikaya Bio.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	z1INVOICE4602-FMT25020147.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Ziraat_Bankasi_Swift_Messaji.png.exe	Get hash	malicious	MSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
CLOUDFLARENETUS	ckHregxJIq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	oCPGyn28rc.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	CjbMEPJZ3J.exe	Get hash	malicious	FormBook	Browse	104.21.3.103
	PvAmrCZENy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	rjRYMApdf9.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	jcHIuFAWdB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	8JVG9KELay.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	uB9KTHzsXJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	2Stejb80vJ.exe	Get hash	malicious	FormBook	Browse	104.21.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	ckHregxJIq.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	PvAmrCZENy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	rjRYMApdf9.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	jcHIuFAWdB.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	8JVG9KELay.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	uB9KTHzsXJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	NrFs9S2x5P.vbs	Get hash	malicious	MoDiRAT	Browse	104.21.112.1
	4GkyooSSU6.vbs	Get hash	malicious	MoDiRAT	Browse	104.21.112.1
	8FPbFaueUE.vbs	Get hash	malicious	MoDiRAT	Browse	104.21.112.1
	PBuqd1KwaW.vbs	Get hash	malicious	MoDiRAT	Browse	104.21.112.1

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8021921606808825
Encrypted:	false
SSDEEP:	1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAh:RJE+Lfki1GjHwU/+vVhWqpw
MD5:	AB0BB009C46BF200D83252B13D2332F7
SHA1:	4F7D06ACEE9AB5585DB37B27A6DDD576262FC020
SHA-256:	30C927BDC7D562130E26E59B21F5215E02D969FA9F129B0AD02EB2A9AE5210D4
SHA-512:	4A5A93CCAC4AFAA0B5BF4E2081E49B1391F40057FD9AB1E12180707A99D5176364AC2C273CA28C7AB559A1B250B76F8F156B354D3126A13C9015CC4F0F7F2DA0
Malicious:	false
Reputation:	low
Preview:	..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x58f772a7, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	0.9433452588397083
Encrypted:	false
SSDEEP:	1536:bSB2ESB2SSjlK/ZvxPXK0I9XGJCTgzZYkr3g16zV2UPkLk+kY+lKuy9ny5zPOZ15:bazaHvxXy2V2UR
MD5:	D649DD8BC71329C84DED75BD4541FE66
SHA1:	096BF29B8ECC5D748C08251D263747AC85FE8149
SHA-256:	6CD3F60514F35964E4827EE7D346BD3E67AE5FDEC5901B7F41C3B9C83700CDDA
SHA-512:	9CE095BB6EA323E8D9970FC9C01D894C63BF727560B05F59363CA156EF273FF9FC767FD9CB1284D2A5737F9625D0283FD9B4072573C00E3E3CB2905EF4FC5AD3
Malicious:	false
Reputation:	low
Preview:	X.r.... ...............X\...;...{......................0.x...... ...{s.,/...}..h.z.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{..................................c.4.,/...}....................,/...}...........................#......h.z.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08079560056644775
Encrypted:	false
SSDEEP:	3:04Ye+Grn6l/nqlFcl1ZUllllmoKBrlqllGBnX/l/Tj/k7/t:04zCl/qlFclQ/lUox254
MD5:	D8AFAF8E08F9CEACAC7AFE38707FD399
SHA1:	9615A9A17A4BE0995204A8706E2930F5575C8F37
SHA-256:	ED0B7607676B0B58B6385A731FD30EF43ED6DE9231A7F348A9ECFCD3E7B4303E
SHA-512:	5A090C4BCB275E15421E914AA777386924ADFE9D453E2B32E2822E5E890B58EE11BAAF90F48FF44720E54D4A5284D45F9CCC8FC57410AFA8871E9AC6EA16C58A
Malicious:	false
Preview:	..-.....................................;...{..,/...}... ...{s.......... ...{s.. ...{s.P.... ...{s....................,/...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C6FGS0I3yn.exe.log

Download File

Process:	C:\Users\user\Desktop\C6FGS0I3yn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZSUyus:lGLHyIFKL3IZ2KRH9OugEs
MD5:	4AD173050672D4E4D906A6827BD76175
SHA1:	971C60C54970A8C94A85753FB9301C49CAF63FE0
SHA-256:	FB92B93A8CCCB82D3449F3CA68452EEF78C571C95D7DB84CC9B12C8D6C0498C1
SHA-512:	49C6D82B927706A7152FDA8ABE53836619B2A2EECFA4D473B6F63F9506579255F552E3F5CB67654D7EF32B45BEE83AA5CE110E3C01BEEBFA852DDBD7C2C60BFC
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spdatfgj.phl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txsu2mvs.gbd.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnuxo2ll.eip.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyplobmg.3kr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.117305202203418
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	C6FGS0I3yn.exe
File size:	890'368 bytes
MD5:	a1279890aeb8abe7f5f043b844c37610
SHA1:	f499167373d11cfd9f006e32ba493dea460876cf
SHA256:	ac3e59d452c9afd22e61846b9f5d1b475c0fb1e9ee0a890dea660a61280bce57
SHA512:	54a0b3563ccb793e1940b2b18989b39e99feee47b4f180d569ded5f8e848f70c18e0e4a1f83ac5dd3250f5852d77138ded558f5ec71e8445456002f9709d111c
SSDEEP:	12288:xd0N/PDnN55KQbbjQZEiAGaYwUyNLIUZBvTPEviFZEhmDL1xIrZlXXLRuAUY6IkB:r0BLnN55KQbnQEYwUsDLEIE0D
TLSH:	04152AEC3620339ECC67D579C9686C74E760347A630B629390D713DA7A4C693DF18AA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4daafe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x84FBAC30 [Wed Sep 12 18:08:48 2040 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdaaa4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xdc000	0x5a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd8b04	0xd8c00	3d74ab98c88e544c47547752425c3f69	False	0.6818850472174164	data	7.122195322883306	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xdc000	0x5a0	0x600	ea8461e48a4a0c89397c78e29912e051	False	0.41796875	data	4.0541899362085365	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0xc	0x200	eda316f4db9c4282c85d81fff12f6649	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xdc0a0	0x314	data			0.43147208121827413
RT_MANIFEST	0xdc3b4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	Polly Pipe
FileVersion	1.0.0.0
InternalName	Jdxr.exe
LegalCopyright	Copyright 2022
LegalTrademarks
OriginalFilename	Jdxr.exe
ProductName	Polly Pipe
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T15:47:16.548545+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49683	132.226.247.73	80	TCP
2025-03-07T15:47:19.376686+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49683	132.226.247.73	80	TCP
2025-03-07T15:47:21.762509+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49685	104.21.112.1	443	TCP
2025-03-07T15:47:22.564249+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49686	132.226.247.73	80	TCP
2025-03-07T15:47:28.302779+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.8	49689	104.21.112.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 15:47:15.597243071 CET	49683	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:15.603686094 CET	80	49683	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:15.603754997 CET	49683	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:15.606328011 CET	49683	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:15.611779928 CET	80	49683	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:16.285280943 CET	80	49683	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:16.290715933 CET	49683	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:16.295792103 CET	80	49683	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:16.499068022 CET	80	49683	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:16.548544884 CET	49683	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:16.555485010 CET	49684	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:16.555538893 CET	443	49684	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:16.555705070 CET	49684	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:16.565587997 CET	49684	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:16.565610886 CET	443	49684	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:18.443030119 CET	443	49684	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:18.443139076 CET	49684	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:18.509465933 CET	49684	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:18.509509087 CET	443	49684	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:18.510052919 CET	443	49684	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:18.564158916 CET	49684	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:18.629671097 CET	49684	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:18.676332951 CET	443	49684	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:19.070595980 CET	443	49684	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:19.070664883 CET	443	49684	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:19.070945978 CET	49684	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:19.118575096 CET	49684	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:19.121972084 CET	49683	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:19.127015114 CET	80	49683	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:19.330982924 CET	80	49683	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:19.342334032 CET	49685	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:19.342381954 CET	443	49685	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:19.342447996 CET	49685	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:19.342749119 CET	49685	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:19.342761040 CET	443	49685	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:19.376686096 CET	49683	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:21.210340977 CET	443	49685	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:21.219563961 CET	49685	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:21.219593048 CET	443	49685	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:21.762522936 CET	443	49685	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:21.762590885 CET	443	49685	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:21.762662888 CET	49685	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:21.763112068 CET	49685	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:21.766421080 CET	49683	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:21.767714024 CET	49686	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:21.771696091 CET	80	49683	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:21.771773100 CET	49683	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:21.772732973 CET	80	49686	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:21.772798061 CET	49686	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:21.772913933 CET	49686	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:21.777915955 CET	80	49686	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:22.518892050 CET	80	49686	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:22.520558119 CET	49687	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:22.520606041 CET	443	49687	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:22.520678997 CET	49687	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:22.520946980 CET	49687	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:22.520968914 CET	443	49687	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:22.564249039 CET	49686	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:24.432079077 CET	443	49687	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:24.434879065 CET	49687	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:24.434914112 CET	443	49687	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:24.970016003 CET	443	49687	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:24.970174074 CET	443	49687	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:24.970375061 CET	49687	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:24.970845938 CET	49687	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:24.975569963 CET	49688	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:24.980611086 CET	80	49688	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:24.980737925 CET	49688	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:24.980850935 CET	49688	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:24.985928059 CET	80	49688	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:25.694916010 CET	80	49688	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:25.696361065 CET	49689	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:25.696408033 CET	443	49689	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:25.696563005 CET	49689	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:25.696769953 CET	49689	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:25.696789980 CET	443	49689	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:25.736119986 CET	49688	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:27.717904091 CET	443	49689	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:27.742305040 CET	49689	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:27.742338896 CET	443	49689	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:28.302798033 CET	443	49689	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:28.337893009 CET	443	49689	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:28.338018894 CET	49689	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:28.339560986 CET	49689	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:28.497775078 CET	49688	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:28.498970032 CET	49690	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:28.504343033 CET	80	49688	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:28.504399061 CET	49688	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:28.505260944 CET	80	49690	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:28.505414963 CET	49690	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:28.505494118 CET	49690	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:28.511684895 CET	80	49690	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:29.212088108 CET	80	49690	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:29.213506937 CET	49691	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:29.213553905 CET	443	49691	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:29.213851929 CET	49691	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:29.214085102 CET	49691	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:29.214096069 CET	443	49691	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:29.267316103 CET	49690	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:31.032233000 CET	443	49691	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:31.036329031 CET	49691	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:31.036362886 CET	443	49691	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:31.547795057 CET	443	49691	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:31.547868013 CET	443	49691	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:31.548047066 CET	49691	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:31.592328072 CET	49691	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:31.804582119 CET	49690	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:31.810029030 CET	80	49690	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:31.810123920 CET	49690	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:31.815224886 CET	49692	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:31.820553064 CET	80	49692	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:31.820646048 CET	49692	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:31.825599909 CET	49692	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:31.830815077 CET	80	49692	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:32.501612902 CET	80	49692	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:32.503353119 CET	49693	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:32.503401995 CET	443	49693	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:32.503469944 CET	49693	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:32.503766060 CET	49693	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:32.503778934 CET	443	49693	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:32.548579931 CET	49692	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:34.265964031 CET	443	49693	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:34.267915010 CET	49693	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:34.267939091 CET	443	49693	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:34.752934933 CET	443	49693	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:34.790519953 CET	443	49693	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:34.790599108 CET	49693	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:34.791006088 CET	49693	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:34.794425011 CET	49692	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:34.795675039 CET	49694	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:34.799635887 CET	80	49692	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:34.799715996 CET	49692	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:34.800806046 CET	80	49694	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:34.800925970 CET	49694	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:34.801001072 CET	49694	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:34.806112051 CET	80	49694	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:35.491239071 CET	80	49694	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:35.492575884 CET	49695	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:35.492619038 CET	443	49695	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:35.492824078 CET	49695	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:35.492949963 CET	49695	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:35.492957115 CET	443	49695	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:35.532958984 CET	49694	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:37.285403967 CET	443	49695	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:37.286997080 CET	49695	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:37.287017107 CET	443	49695	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:37.817903042 CET	443	49695	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:37.817975998 CET	443	49695	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:37.818053961 CET	49695	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:37.818645000 CET	49695	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:37.821959019 CET	49694	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:37.823081017 CET	49696	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:37.827290058 CET	80	49694	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:37.827384949 CET	49694	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:37.828177929 CET	80	49696	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:37.828263998 CET	49696	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:37.828336000 CET	49696	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:37.833400965 CET	80	49696	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:38.514950037 CET	80	49696	132.226.247.73	192.168.2.8
Mar 7, 2025 15:47:38.516397953 CET	49697	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:38.516447067 CET	443	49697	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:38.516529083 CET	49697	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:38.516777039 CET	49697	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:38.516793013 CET	443	49697	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:38.564225912 CET	49696	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:40.670094967 CET	443	49697	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:40.672154903 CET	49697	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:40.672188997 CET	443	49697	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:41.223431110 CET	443	49697	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:41.254403114 CET	443	49697	104.21.112.1	192.168.2.8
Mar 7, 2025 15:47:41.254544020 CET	49697	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:41.254909039 CET	49697	443	192.168.2.8	104.21.112.1
Mar 7, 2025 15:47:41.434179068 CET	49696	80	192.168.2.8	132.226.247.73
Mar 7, 2025 15:47:41.434191942 CET	49686	80	192.168.2.8	132.226.247.73

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 15:47:15.574629068 CET	58526	53	192.168.2.8	1.1.1.1
Mar 7, 2025 15:47:15.588279963 CET	53	58526	1.1.1.1	192.168.2.8
Mar 7, 2025 15:47:16.544526100 CET	58292	53	192.168.2.8	1.1.1.1
Mar 7, 2025 15:47:16.554582119 CET	53	58292	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 15:47:15.574629068 CET	192.168.2.8	1.1.1.1	0x49c0	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:16.544526100 CET	192.168.2.8	1.1.1.1	0x8029	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 15:47:15.588279963 CET	1.1.1.1	192.168.2.8	0x49c0	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 15:47:15.588279963 CET	1.1.1.1	192.168.2.8	0x49c0	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:15.588279963 CET	1.1.1.1	192.168.2.8	0x49c0	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:15.588279963 CET	1.1.1.1	192.168.2.8	0x49c0	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:15.588279963 CET	1.1.1.1	192.168.2.8	0x49c0	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:15.588279963 CET	1.1.1.1	192.168.2.8	0x49c0	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:16.554582119 CET	1.1.1.1	192.168.2.8	0x8029	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:16.554582119 CET	1.1.1.1	192.168.2.8	0x8029	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:16.554582119 CET	1.1.1.1	192.168.2.8	0x8029	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:16.554582119 CET	1.1.1.1	192.168.2.8	0x8029	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:16.554582119 CET	1.1.1.1	192.168.2.8	0x8029	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:16.554582119 CET	1.1.1.1	192.168.2.8	0x8029	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 15:47:16.554582119 CET	1.1.1.1	192.168.2.8	0x8029	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49683	132.226.247.73	80	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 15:47:15.606328011 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 15:47:16.285280943 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 15:47:16.290715933 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 15:47:16.499068022 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:16 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 15:47:19.121972084 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 15:47:19.330982924 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49686	132.226.247.73	80	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 15:47:21.772913933 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 15:47:22.518892050 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:22 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49688	132.226.247.73	80	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 15:47:24.980850935 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 15:47:25.694916010 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49690	132.226.247.73	80	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 15:47:28.505494118 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 15:47:29.212088108 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:29 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49692	132.226.247.73	80	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 15:47:31.825599909 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 15:47:32.501612902 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49694	132.226.247.73	80	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 15:47:34.801001072 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 15:47:35.491239071 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:35 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49696	132.226.247.73	80	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 15:47:37.828336000 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 15:47:38.514950037 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49684	104.21.112.1	443	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 14:47:18 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 14:47:19 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:18 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 75843 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 17:43:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8v9%2FUCxsy8%2FUwjOc1k5zs2zgg8FGEkxaMjwI1C2QKNd%2F5%2BO0dUlrPU0pl0xD3gK3aN20iGLTGh8vLSzHGRbrOgT5FB0iwNYVLEtci1cvSQw%2BMpgId%2FLGkvQph4eIANsgXjZYYrRn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cae326ae88dd1d-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=33912&min_rtt=27350&rtt_var=11773&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=89518&cwnd=238&unsent_bytes=0&cid=cfe9a51e135cab79&ts=610&x=0"
2025-03-07 14:47:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49685	104.21.112.1	443	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 14:47:21 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-03-07 14:47:21 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:21 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 75845 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 17:43:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iNOgno9AUgcJr2D3kAhWN%2FvKyaJf%2BUlyfiQ4t2ooupmXoybGBB72L2ulijlAv4qMbHMPk83fFCk2XfQDZdf1JnTpbGltnU%2Bi4mOy9M7wgjLLT11cYMZ42UF%2BlItDMQaItvVJ3JBg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cae3376803bae0-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=34490&min_rtt=31857&rtt_var=11321&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=90880&cwnd=250&unsent_bytes=0&cid=8d8d5762a173a67c&ts=661&x=0"
2025-03-07 14:47:21 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49687	104.21.112.1	443	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 14:47:24 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 14:47:24 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:24 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 75849 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 17:43:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ANj0tLh02pD%2B0wbl%2Bi6N3CG7mcLUqR2Eh3DVGID9e4NRbSmkWLZV4sZRZOi4WG%2BUQ5LMBQh4qOroNCE1OiHXGxnSftcOjOLqVGW8zv9upr%2BFC32M0YzopN0HXchQ0SEvdqJvGYum"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cae34b8dabb023-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=34183&min_rtt=30794&rtt_var=11700&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=94013&cwnd=242&unsent_bytes=0&cid=417e18b77c4aede3&ts=638&x=0"
2025-03-07 14:47:24 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49689	104.21.112.1	443	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 14:47:27 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-03-07 14:47:28 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 75852 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 17:43:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dKKQ%2FordSJWcyQvC5oQz3u2qYh5l4XKs%2FxPWHXCHDo4A%2FOOSkUVKOs4AfXApPDsGxTK9SShZQd34IE5gJA6cDLlcg3U6%2BU2%2B0Bpn0VBoPucVVlvrHpPMfWxfw8PGc1jodYNQczFE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cae3609c92dd1d-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=29568&min_rtt=27793&rtt_var=9409&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=104176&cwnd=238&unsent_bytes=0&cid=7b307d62e2431a87&ts=744&x=0"
2025-03-07 14:47:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49691	104.21.112.1	443	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 14:47:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 14:47:31 UTC	854	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 75855 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 17:43:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JKhYWT37bRDJy79ewLuYipC0NUC0hbSWm8V44KnCSBEdQPrJCoCJVCPnENzpGdBVnaKeBapTUweV56SoIohdKjtMieYI1a0YFMT6BN0%2BHYwzsAK0BFScu84x%2FtnJyzBDP1WDqveU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cae374ceccbae0-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=33528&min_rtt=27699&rtt_var=13021&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=104514&cwnd=250&unsent_bytes=0&cid=a8a0a2d4c0f0a013&ts=527&x=0"
2025-03-07 14:47:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49693	104.21.112.1	443	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 14:47:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 14:47:34 UTC	856	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 75858 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 17:43:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oditeRdmLou90QVGfnezs8fBFu4L3cHGbM%2B9WjOS4JDiK6%2Bl5cT%2FGpQ8VVKm1ES3NJujys8o0c2cDtmUNyoO6Fyhu9QCDw1BpPVINC3m8ppvLH32LBt63gc7CIhaT5vH%2BiUG8voD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cae388ff0bdd1d-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=31141&min_rtt=30324&rtt_var=9946&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=85639&cwnd=238&unsent_bytes=0&cid=b9a7fffb3c3bebd3&ts=503&x=0"
2025-03-07 14:47:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49695	104.21.112.1	443	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 14:47:37 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 14:47:37 UTC	854	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 75861 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 17:43:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l8A2vN5h2CiR66k7IzEn%2BpMHf3WmcyB4DwPBapoO8YJn%2FM7je4Y8EwotzMAC4CNoK8DYsIwudZFfmXQ4itLMEcMgUSQ5RsAnAVo7mk86VlZ%2B10tkYSlaZa5PcsAPAghYmND7jFs0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cae39bd88cbae0-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=30095&min_rtt=29689&rtt_var=8711&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=97511&cwnd=250&unsent_bytes=0&cid=88e04ccfb2102534&ts=640&x=0"
2025-03-07 14:47:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49697	104.21.112.1	443	2724	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 14:47:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 14:47:41 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 14:47:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 75865 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Thu, 06 Mar 2025 17:43:15 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P4QZAMYAsu77NH3hpFLloUuac8tznO57TlqVkNe5vsiVXNRmIuzsgBqRlT1MwYMG%2Bi7B82lvmz7PkziNSwtmgdwfH1rwRElp%2FqsqChRrrr4eCmZ7YCPq5nmORu769VRHRh%2FP9A0f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cae3b13b7e6732-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=30903&min_rtt=29994&rtt_var=10019&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=85254&cwnd=235&unsent_bytes=0&cid=f8e5082576b0dfb5&ts=699&x=0"
2025-03-07 14:47:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	09:47:13
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\C6FGS0I3yn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\C6FGS0I3yn.exe"
Imagebase:	0x9b0000
File size:	890'368 bytes
MD5 hash:	A1279890AEB8ABE7F5F043B844C37610
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.915425834.0000000003EA9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.915425834.0000000004702000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:47:14
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\C6FGS0I3yn.exe"
Imagebase:	0x830000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:47:14
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6e60e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:47:14
Start date:	07/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x510000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000003.00000002.1171129003.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.1172782030.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:47:16
Start date:	07/03/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff726800000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:47:41
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x8e0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:47:41
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6e60e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:47:41
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0xcc0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:47:44
Start date:	07/03/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff66acf0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report C6FGS0I3yn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C6FGS0I3yn.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spdatfgj.phl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txsu2mvs.gbd.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnuxo2ll.eip.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyplobmg.3kr.ps1

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
C6FGS0I3yn.exe