Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7l3CafRVv7.exe

Overview

General Information

Sample name:7l3CafRVv7.exe
renamed because original name is a hash value
Original sample name:ab2b7582e890d253761d1f41c262c27d314ddfa0e6ecb7c43aa6149acea2e426.exe
Analysis ID:1631783
MD5:046295be03e8dcf9eacf9befb7d9b4ef
SHA1:67441f3c6af067830704bc3d09a6c0460b4876c3
SHA256:ab2b7582e890d253761d1f41c262c27d314ddfa0e6ecb7c43aa6149acea2e426
Tags:exeuser-adrian__luca
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7l3CafRVv7.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\7l3CafRVv7.exe" MD5: 046295BE03E8DCF9EACF9BEFB7D9B4EF)
    • 7l3CafRVv7.exe (PID: 6716 cmdline: "C:\Users\user\Desktop\7l3CafRVv7.exe" MD5: 046295BE03E8DCF9EACF9BEFB7D9B4EF)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7756640782:AAGnFu3e4jddvj5TE8bEBVB_3c_4DP5vedk", "Telegram Chatid": "6070433873"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefdf:$a1: get_encryptedPassword
          • 0xf307:$a2: get_encryptedUsername
          • 0xed7a:$a3: get_timePasswordChanged
          • 0xee9b:$a4: get_passwordField
          • 0xeff5:$a5: set_encryptedPassword
          • 0x10951:$a7: get_logins
          • 0x10602:$a8: GetOutlookPasswords
          • 0x103f4:$a9: StartKeylogger
          • 0x108a1:$a10: KeyLoggerEventArgs
          • 0x10451:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.7l3CafRVv7.exe.3664640.4.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.7l3CafRVv7.exe.3664640.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.7l3CafRVv7.exe.3664640.4.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                0.2.7l3CafRVv7.exe.3664640.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0.2.7l3CafRVv7.exe.3664640.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xd3df:$a1: get_encryptedPassword
                  • 0xd707:$a2: get_encryptedUsername
                  • 0xd17a:$a3: get_timePasswordChanged
                  • 0xd29b:$a4: get_passwordField
                  • 0xd3f5:$a5: set_encryptedPassword
                  • 0xed51:$a7: get_logins
                  • 0xea02:$a8: GetOutlookPasswords
                  • 0xe7f4:$a9: StartKeylogger
                  • 0xeca1:$a10: KeyLoggerEventArgs
                  • 0xe851:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 31 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T15:48:05.052919+010028032742Potentially Bad Traffic192.168.2.1049681132.226.247.7380TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 7l3CafRVv7.exeAvira: detected
                  Found malware configuration
                  Source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7756640782:AAGnFu3e4jddvj5TE8bEBVB_3c_4DP5vedk", "Telegram Chatid": "6070433873"}
                  Multi AV Scanner detection for submitted file
                  Source: 7l3CafRVv7.exeVirustotal: Detection: 76%Perma Link
                  Source: 7l3CafRVv7.exeReversingLabs: Detection: 73%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: 7l3CafRVv7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49682 version: TLS 1.0
                  Source: 7l3CafRVv7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: 7l3CafRVv7.exe, 00000000.00000002.1168414663.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000000.00000002.1168924319.0000000004B70000.00000004.08000000.00040000.00000000.sdmp, 7l3CafRVv7.exe, 00000000.00000002.1168414663.000000000260B000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 02369731h2_2_02369480
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 02369E5Ah2_2_02369A40
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 02369E5Ah2_2_02369A30
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 02369E5Ah2_2_02369D87
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 051747C9h2_2_05174520
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 05178830h2_2_05178588
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 051776D0h2_2_05177428
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 0517F700h2_2_0517F458
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 0517E9F8h2_2_0517E750
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 05175929h2_2_05175680
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 051783D8h2_2_05178130
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 0517E5A0h2_2_0517E180
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 05177278h2_2_051771DC
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 0517F2A8h2_2_0517F000
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 051754D1h2_2_05175228
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 05175079h2_2_05174DD0
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 05177F80h2_2_05177CD8
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 05174C21h2_2_05174978
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 05177B28h2_2_05177880
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 0517FB58h2_2_0517F8B0
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 0517EE50h2_2_0517EBA8
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 4x nop then jmp 05175E15h2_2_05175AD8
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                  Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                  Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49681 -> 132.226.247.73:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.10:49682 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: 7l3CafRVv7.exe, 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.000000000261A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.000000000261A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.0000000002581000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: 7l3CafRVv7.exe, 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: 7l3CafRVv7.exe, 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.7l3CafRVv7.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.7l3CafRVv7.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.7l3CafRVv7.exe.364d810.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.7l3CafRVv7.exe.364d810.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: 7l3CafRVv7.exe PID: 6556, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: 7l3CafRVv7.exe PID: 6716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 0_2_023925600_2_02392560
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 0_2_0239CE7C0_2_0239CE7C
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0236C5302_2_0236C530
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_02362DD12_2_02362DD1
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_023694802_2_02369480
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0236C5212_2_0236C521
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0236946F2_2_0236946F
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051761382_2_05176138
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517BC602_2_0517BC60
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517AF002_2_0517AF00
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051789E02_2_051789E0
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517450F2_2_0517450F
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051745202_2_05174520
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051785792_2_05178579
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051785882_2_05178588
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051774182_2_05177418
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_05176F212_2_05176F21
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051774282_2_05177428
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517F4582_2_0517F458
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517F4482_2_0517F448
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517E7502_2_0517E750
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517E7402_2_0517E740
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517566F2_2_0517566F
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051756802_2_05175680
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051781302_2_05178130
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051781202_2_05178120
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517612A2_2_0517612A
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517E1802_2_0517E180
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517F0002_2_0517F000
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051703302_2_05170330
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051703202_2_05170320
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051713A82_2_051713A8
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517521A2_2_0517521A
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051752282_2_05175228
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_05174DD02_2_05174DD0
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_05174DC02_2_05174DC0
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_05170CD82_2_05170CD8
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_05177CD82_2_05177CD8
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_05177CC82_2_05177CC8
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_05176FD02_2_05176FD0
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_05176FC22_2_05176FC2
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517EFF02_2_0517EFF0
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051749782_2_05174978
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051749692_2_05174969
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051778712_2_05177871
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_051778802_2_05177880
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517F8B02_2_0517F8B0
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517F8A12_2_0517F8A1
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517EB982_2_0517EB98
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_0517EBA82_2_0517EBA8
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_05170AB82_2_05170AB8
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_05175AD82_2_05175AD8
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 2_2_05175ACA2_2_05175ACA
                  Source: 7l3CafRVv7.exe, 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAntiBossing.dll8 vs 7l3CafRVv7.exe
                  Source: 7l3CafRVv7.exe, 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs 7l3CafRVv7.exe
                  Source: 7l3CafRVv7.exe, 00000000.00000002.1168924319.0000000004B7C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs 7l3CafRVv7.exe
                  Source: 7l3CafRVv7.exe, 00000000.00000000.1157068597.000000000021A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNothing.exe0 vs 7l3CafRVv7.exe
                  Source: 7l3CafRVv7.exe, 00000000.00000002.1167519592.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 7l3CafRVv7.exe
                  Source: 7l3CafRVv7.exe, 00000000.00000002.1169086662.0000000004E70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAntiBossing.dll8 vs 7l3CafRVv7.exe
                  Source: 7l3CafRVv7.exe, 00000000.00000002.1168414663.000000000260B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs 7l3CafRVv7.exe
                  Source: 7l3CafRVv7.exe, 00000000.00000002.1168414663.000000000260B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs 7l3CafRVv7.exe
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2410109640.000000000064A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs 7l3CafRVv7.exe
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2410058132.00000000003F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 7l3CafRVv7.exe
                  Source: 7l3CafRVv7.exeBinary or memory string: OriginalFilenameNothing.exe0 vs 7l3CafRVv7.exe
                  Source: 7l3CafRVv7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.7l3CafRVv7.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.7l3CafRVv7.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.7l3CafRVv7.exe.364d810.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.7l3CafRVv7.exe.364d810.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: 7l3CafRVv7.exe PID: 6556, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: 7l3CafRVv7.exe PID: 6716, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 7l3CafRVv7.exe, ExcavationTask.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.7l3CafRVv7.exe.4e70000.6.raw.unpack, FuelfordChassis.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, FuelfordChassis.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7l3CafRVv7.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeMutant created: NULL
                  Source: 7l3CafRVv7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 7l3CafRVv7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2411769091.000000000267C000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2411769091.0000000002690000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2411769091.000000000269D000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2411769091.000000000266E000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2411769091.000000000265E000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2412619451.00000000035AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: 7l3CafRVv7.exeVirustotal: Detection: 76%
                  Source: 7l3CafRVv7.exeReversingLabs: Detection: 73%
                  Source: unknownProcess created: C:\Users\user\Desktop\7l3CafRVv7.exe "C:\Users\user\Desktop\7l3CafRVv7.exe"
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess created: C:\Users\user\Desktop\7l3CafRVv7.exe "C:\Users\user\Desktop\7l3CafRVv7.exe"
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess created: C:\Users\user\Desktop\7l3CafRVv7.exe "C:\Users\user\Desktop\7l3CafRVv7.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: 7l3CafRVv7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 7l3CafRVv7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: 7l3CafRVv7.exe, 00000000.00000002.1168414663.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000000.00000002.1168924319.0000000004B70000.00000004.08000000.00040000.00000000.sdmp, 7l3CafRVv7.exe, 00000000.00000002.1168414663.000000000260B000.00000004.00000800.00020000.00000000.sdmp
                  Source: 7l3CafRVv7.exeStatic PE information: 0xFEBA3976 [Fri Jun 5 03:54:30 2105 UTC]
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeCode function: 0_2_0239E6E0 push esp; retf 0_2_0239E6E1
                  Source: 7l3CafRVv7.exeStatic PE information: section name: .text entropy: 7.782221407254461
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeMemory allocated: 2350000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeMemory allocated: 25A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeMemory allocated: 23D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeMemory allocated: 2360000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeMemory allocated: 2580000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeMemory allocated: 23C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exe TID: 6604Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 7l3CafRVv7.exe, 00000002.00000002.2410421032.00000000006F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.7l3CafRVv7.exe.25ff2d4.1.raw.unpack, EngineAlgorithm.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                  Source: 0.2.7l3CafRVv7.exe.25ff2d4.1.raw.unpack, EngineAlgorithm.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                  Source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeProcess created: C:\Users\user\Desktop\7l3CafRVv7.exe "C:\Users\user\Desktop\7l3CafRVv7.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Users\user\Desktop\7l3CafRVv7.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Users\user\Desktop\7l3CafRVv7.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.7l3CafRVv7.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6716, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.7l3CafRVv7.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6716, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.7l3CafRVv7.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6716, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\7l3CafRVv7.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.7l3CafRVv7.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2411769091.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6716, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.7l3CafRVv7.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6716, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.7l3CafRVv7.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6716, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.7l3CafRVv7.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.3664640.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.364d810.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7l3CafRVv7.exe.36079c0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6556, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 7l3CafRVv7.exe PID: 6716, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		11
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		1
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  Process Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                  Process Injection                  		NTDS1
                  System Network Configuration Discovery                  		Distributed Component Object Model1
                  Data from Local System                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets13
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                  Obfuscated Files or Information                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Timestomp                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  DLL Side-Loading                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  7l3CafRVv7.exe76%VirustotalBrowse
                  7l3CafRVv7.exe74%ReversingLabsWin32.Trojan.Jalapeno
                  7l3CafRVv7.exe100%AviraHEUR/AGEN.1309269

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.80.1
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.247.73
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189l7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://checkip.dyndns.comd7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.org/q7l3CafRVv7.exe, 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  http://reallyfreegeoip.orgd7l3CafRVv7.exe, 00000002.00000002.2411769091.000000000261A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://reallyfreegeoip.org/xml/8.46.123.189d7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://reallyfreegeoip.org7l3CafRVv7.exe, 00000002.00000002.2411769091.000000000261A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.orgd7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://reallyfreegeoip.org7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.org7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.com7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.org/d7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name7l3CafRVv7.exe, 00000002.00000002.2411769091.0000000002581000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org/bot-/sendDocument?chat_id=7l3CafRVv7.exe, 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://reallyfreegeoip.org/xml/7l3CafRVv7.exe, 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2411769091.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, 7l3CafRVv7.exe, 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        104.21.80.1
                                                        		reallyfreegeoip.orgUnited States
                                                        		13335CLOUDFLARENETUSfalse
                                                        132.226.247.73
                                                        		checkip.dyndns.comUnited States
                                                        		16989UTMEMUSfalse

                                                        General Information

                                                        Joe Sandbox version:42.0.0 Malachite
                                                        Analysis ID:1631783
                                                        Start date and time:2025-03-07 15:46:56 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 5m 36s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:11
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:7l3CafRVv7.exe
                                                        renamed because original name is a hash value
                                                        Original Sample Name:ab2b7582e890d253761d1f41c262c27d314ddfa0e6ecb7c43aa6149acea2e426.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                                        EGA Information:
                                                        • Successful, ratio: 50%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 83
                                                        • Number of non-executed functions: 22
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 23.60.203.209
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
                                                        • Execution Graph export aborted for target 7l3CafRVv7.exe, PID 6716 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        No simulations

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        104.21.80.1DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                        • www.rbopisalive.cyou/2dxw/
                                                        Marzec 2025-faktura.pdf.exeGet hashmaliciousFormBookBrowse
                                                        • www.oldpay.online/u023/?lneDc=2js00DxFGjY6gHlVOW1q9a10L3HzPIs7WpRmaT2A/LnakQk0VzYAjcxSKMUcEwKHsPPKaiHoQA==&NvExnX=FrapFFYPB
                                                        z1companyProfileandproducts.exeGet hashmaliciousFormBookBrowse
                                                        • www.dd87558.vip/uoki/
                                                        http://7a.ithuupvudv.ruGet hashmaliciousUnknownBrowse
                                                        • 7a.ithuupvudv.ru/favicon.ico
                                                        PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                                                        • touxzw.ir/scc1/five/fre.php
                                                        dfiCWCanbj.exeGet hashmaliciousLokibotBrowse
                                                        • touxzw.ir/sccc/five/fre.php
                                                        laser (2).ps1Get hashmaliciousFormBookBrowse
                                                        • www.lucynoel6465.shop/jgkl/
                                                        laser.ps1Get hashmaliciousFormBookBrowse
                                                        • www.tumbetgirislinki.fit/k566/
                                                        QUOTATION REQUEST.exeGet hashmaliciousFormBookBrowse
                                                        • www.shlomi.app/t3l4/
                                                        Quotation.exeGet hashmaliciousFormBookBrowse
                                                        • www.askvtwv8.top/uztg/
                                                        132.226.247.73ckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        jcHIuFAWdB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        SecuriteInfo.com.Win32.CrypterX-gen.30422.25408.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        z1INVOICE4602-FMT25020147.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        Ziraat_Bankasi_Swift_Messaji.png.exeGet hashmaliciousMSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        Repeat Order.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        HAWB772384266855 2846086773 G#U00f6nderinizinETGB .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        MEDUCK217841.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        SOA_TONG WOH ENTERPRISE SDN BHD.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        rRessourcestyrings.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • checkip.dyndns.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        checkip.dyndns.comckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.247.73
                                                        PvAmrCZENy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.8.169
                                                        rjRYMApdf9.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 158.101.44.242
                                                        jcHIuFAWdB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.247.73
                                                        8JVG9KELay.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 158.101.44.242
                                                        uB9KTHzsXJ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 132.226.8.169
                                                        PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 132.226.8.169
                                                        HBL NO C-ACC-250002.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 193.122.6.168
                                                        SecuriteInfo.com.Win32.CrypterX-gen.30422.25408.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.247.73
                                                        Shipping Document ..exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 193.122.6.168
                                                        reallyfreegeoip.orgckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.96.1
                                                        PvAmrCZENy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.96.1
                                                        rjRYMApdf9.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        jcHIuFAWdB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.16.1
                                                        8JVG9KELay.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.80.1
                                                        uB9KTHzsXJ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.112.1
                                                        PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.32.1
                                                        HBL NO C-ACC-250002.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        SecuriteInfo.com.Win32.CrypterX-gen.30422.25408.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.32.1
                                                        Shipping Document ..exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.112.1

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        CLOUDFLARENETUSckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.96.1
                                                        oCPGyn28rc.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        CjbMEPJZ3J.exeGet hashmaliciousFormBookBrowse
                                                        • 104.21.3.103
                                                        PvAmrCZENy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.96.1
                                                        rjRYMApdf9.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        jcHIuFAWdB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.16.1
                                                        8JVG9KELay.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.80.1
                                                        uB9KTHzsXJ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.112.1
                                                        2Stejb80vJ.exeGet hashmaliciousFormBookBrowse
                                                        • 104.21.112.1
                                                        UTMEMUSckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.247.73
                                                        PvAmrCZENy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.8.169
                                                        jcHIuFAWdB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.247.73
                                                        uB9KTHzsXJ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 132.226.8.169
                                                        PENDING PAYMENT FOR March SOA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 132.226.8.169
                                                        SecuriteInfo.com.Win32.CrypterX-gen.30422.25408.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.247.73
                                                        Invoice- Trikaya Bio.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 132.226.8.169
                                                        z1INVOICE4602-FMT25020147.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.247.73
                                                        Purchase Order # 8MJA15 - 20hrs PMS Twin Engine 150HP.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                        • 132.226.8.169
                                                        Ziraat_Bankasi_Swift_Messaji.png.exeGet hashmaliciousMSIL Logger, MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.247.73

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        54328bd36c14bd82ddaa0c04b25ed9adckHregxJIq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.80.1
                                                        PvAmrCZENy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.80.1
                                                        rjRYMApdf9.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.80.1
                                                        jcHIuFAWdB.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.80.1
                                                        8JVG9KELay.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.80.1
                                                        uB9KTHzsXJ.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.80.1
                                                        NrFs9S2x5P.vbsGet hashmaliciousMoDiRATBrowse
                                                        • 104.21.80.1
                                                        4GkyooSSU6.vbsGet hashmaliciousMoDiRATBrowse
                                                        • 104.21.80.1
                                                        8FPbFaueUE.vbsGet hashmaliciousMoDiRATBrowse
                                                        • 104.21.80.1
                                                        PBuqd1KwaW.vbsGet hashmaliciousMoDiRATBrowse
                                                        • 104.21.80.1

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7l3CafRVv7.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\7l3CafRVv7.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1119
                                                        Entropy (8bit):5.345080863654519
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                                                        MD5:88593431AEF401417595E7A00FE86E5F
                                                        SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                                                        SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                                                        SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                                                        Malicious:true
                                                        Reputation:moderate, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.758851632704716
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:7l3CafRVv7.exe
                                                        File size:225'792 bytes
                                                        MD5:046295be03e8dcf9eacf9befb7d9b4ef
                                                        SHA1:67441f3c6af067830704bc3d09a6c0460b4876c3
                                                        SHA256:ab2b7582e890d253761d1f41c262c27d314ddfa0e6ecb7c43aa6149acea2e426
                                                        SHA512:c6cea12c6c161d4a328e27c9a9075e022c0adc379624f47322d4d81ae510a32b77be680692bac2656d8ab1e93cc53ad3348e1d4d9b8fca9cb04355bdcf382523
                                                        SSDEEP:3072:mP/DpQnSfkKxNQ3Hrwg6f2BkSvhxFPP6iFa8muyLM08m0TphLmVVtRS:gDpISfkKxNWBrhnqXLM07ML
                                                        TLSH:AA24D59B024DDA30E9E80B751DB04DC81C191A39EB8B6E060617B917F99D7F0E385F6B
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v9................0..h............... ........@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:90cececece8e8eb0

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4387be
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0xFEBA3976 [Fri Jun 5 03:54:30 2105 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x387680x53.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x596.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x367c40x3680030e9886f51dcc86530a726eec33224d3False0.6766592603211009data7.782221407254461IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x3a0000x5960x6009dcd150b9281514ecf1d40fb86584ecdFalse0.4108072916666667data4.0479483378357495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x3c0000xc0x200a5bcf550a873bd5468d19c74c401d696False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0x3a0a00x30cdata0.4230769230769231
                                                        RT_MANIFEST0x3a3ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0000 0x04b0
                                                        Comments
                                                        CompanyName
                                                        FileDescriptionNothing
                                                        FileVersion1.0.0.0
                                                        InternalNameNothing.exe
                                                        LegalCopyrightCopyright 2025
                                                        LegalTrademarks
                                                        OriginalFilenameNothing.exe
                                                        ProductNameNothing
                                                        ProductVersion1.0.0.0
                                                        Assembly Version1.0.0.0

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2025-03-07T15:48:05.052919+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1049681132.226.247.7380TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 7, 2025 15:48:04.043082952 CET4968180192.168.2.10132.226.247.73
                                                        Mar 7, 2025 15:48:04.048202038 CET8049681132.226.247.73192.168.2.10
                                                        Mar 7, 2025 15:48:04.048445940 CET4968180192.168.2.10132.226.247.73
                                                        Mar 7, 2025 15:48:04.048698902 CET4968180192.168.2.10132.226.247.73
                                                        Mar 7, 2025 15:48:04.053649902 CET8049681132.226.247.73192.168.2.10
                                                        Mar 7, 2025 15:48:04.729454041 CET8049681132.226.247.73192.168.2.10
                                                        Mar 7, 2025 15:48:04.771661043 CET4968180192.168.2.10132.226.247.73
                                                        Mar 7, 2025 15:48:04.788876057 CET4968180192.168.2.10132.226.247.73
                                                        Mar 7, 2025 15:48:04.793869019 CET8049681132.226.247.73192.168.2.10
                                                        Mar 7, 2025 15:48:04.998689890 CET8049681132.226.247.73192.168.2.10
                                                        Mar 7, 2025 15:48:05.008582115 CET49682443192.168.2.10104.21.80.1
                                                        Mar 7, 2025 15:48:05.008616924 CET44349682104.21.80.1192.168.2.10
                                                        Mar 7, 2025 15:48:05.008707047 CET49682443192.168.2.10104.21.80.1
                                                        Mar 7, 2025 15:48:05.052918911 CET4968180192.168.2.10132.226.247.73
                                                        Mar 7, 2025 15:48:05.347840071 CET49682443192.168.2.10104.21.80.1
                                                        Mar 7, 2025 15:48:05.347858906 CET44349682104.21.80.1192.168.2.10
                                                        Mar 7, 2025 15:48:07.010083914 CET44349682104.21.80.1192.168.2.10
                                                        Mar 7, 2025 15:48:07.010174036 CET49682443192.168.2.10104.21.80.1
                                                        Mar 7, 2025 15:48:07.212162971 CET49682443192.168.2.10104.21.80.1
                                                        Mar 7, 2025 15:48:07.212193966 CET44349682104.21.80.1192.168.2.10
                                                        Mar 7, 2025 15:48:07.212603092 CET44349682104.21.80.1192.168.2.10
                                                        Mar 7, 2025 15:48:07.256103039 CET49682443192.168.2.10104.21.80.1
                                                        Mar 7, 2025 15:48:07.402355909 CET49682443192.168.2.10104.21.80.1
                                                        Mar 7, 2025 15:48:07.444334030 CET44349682104.21.80.1192.168.2.10
                                                        Mar 7, 2025 15:48:07.849348068 CET44349682104.21.80.1192.168.2.10
                                                        Mar 7, 2025 15:48:07.849416971 CET44349682104.21.80.1192.168.2.10
                                                        Mar 7, 2025 15:48:07.849477053 CET49682443192.168.2.10104.21.80.1
                                                        Mar 7, 2025 15:48:07.863823891 CET49682443192.168.2.10104.21.80.1
                                                        Mar 7, 2025 15:49:09.998450994 CET8049681132.226.247.73192.168.2.10
                                                        Mar 7, 2025 15:49:09.998615026 CET4968180192.168.2.10132.226.247.73
                                                        Mar 7, 2025 15:49:45.006618023 CET4968180192.168.2.10132.226.247.73
                                                        Mar 7, 2025 15:49:45.012833118 CET8049681132.226.247.73192.168.2.10

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 7, 2025 15:48:04.028268099 CET5722553192.168.2.101.1.1.1
                                                        Mar 7, 2025 15:48:04.035757065 CET53572251.1.1.1192.168.2.10
                                                        Mar 7, 2025 15:48:05.000564098 CET5840453192.168.2.101.1.1.1
                                                        Mar 7, 2025 15:48:05.007816076 CET53584041.1.1.1192.168.2.10

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Mar 7, 2025 15:48:04.028268099 CET192.168.2.101.1.1.10xe370Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:05.000564098 CET192.168.2.101.1.1.10xfb4bStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Mar 7, 2025 15:48:04.035757065 CET1.1.1.1192.168.2.100xe370No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                        Mar 7, 2025 15:48:04.035757065 CET1.1.1.1192.168.2.100xe370No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:04.035757065 CET1.1.1.1192.168.2.100xe370No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:04.035757065 CET1.1.1.1192.168.2.100xe370No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:04.035757065 CET1.1.1.1192.168.2.100xe370No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:04.035757065 CET1.1.1.1192.168.2.100xe370No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:05.007816076 CET1.1.1.1192.168.2.100xfb4bNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:05.007816076 CET1.1.1.1192.168.2.100xfb4bNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:05.007816076 CET1.1.1.1192.168.2.100xfb4bNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:05.007816076 CET1.1.1.1192.168.2.100xfb4bNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:05.007816076 CET1.1.1.1192.168.2.100xfb4bNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:05.007816076 CET1.1.1.1192.168.2.100xfb4bNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 15:48:05.007816076 CET1.1.1.1192.168.2.100xfb4bNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • reallyfreegeoip.org
                                                        • checkip.dyndns.org

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.1049681132.226.247.73806716C:\Users\user\Desktop\7l3CafRVv7.exe
                                                        TimestampBytes transferredDirectionData
                                                        Mar 7, 2025 15:48:04.048698902 CET151OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Connection: Keep-Alive
                                                        Mar 7, 2025 15:48:04.729454041 CET273INHTTP/1.1 200 OK
                                                        Date: Fri, 07 Mar 2025 14:48:04 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 104
                                                        Connection: keep-alive
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                        Mar 7, 2025 15:48:04.788876057 CET127OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Mar 7, 2025 15:48:04.998689890 CET273INHTTP/1.1 200 OK
                                                        Date: Fri, 07 Mar 2025 14:48:04 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 104
                                                        Connection: keep-alive
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.1049682104.21.80.14436716C:\Users\user\Desktop\7l3CafRVv7.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-03-07 14:48:07 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                        Host: reallyfreegeoip.org
                                                        Connection: Keep-Alive
                                                        2025-03-07 14:48:07 UTC857INHTTP/1.1 200 OK
                                                        Date: Fri, 07 Mar 2025 14:48:07 GMT
                                                        Content-Type: text/xml
                                                        Content-Length: 362
                                                        Connection: close
                                                        Age: 75891
                                                        Cache-Control: max-age=31536000
                                                        cf-cache-status: HIT
                                                        last-modified: Thu, 06 Mar 2025 17:43:15 GMT
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kuqkA6tXoz5cKZMJGiqS3qHDbLRs48u9sAfCyYJ6S7wogcHVY6Wg3HTWz87m4JArpHzF%2BIZBkxrpXK%2BfnunU3R%2Bkfbmp%2BowwejqTnNVrBS2I5UWJgBPCYs3l4RYuMBmB9aVmgbkL"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 91cae4577fae8bb7-ATL
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=29583&min_rtt=27632&rtt_var=9521&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=104783&cwnd=228&unsent_bytes=0&cid=cb532f971e6fab90&ts=802&x=0"
                                                        2025-03-07 14:48:07 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:09:48:02
                                                        Start date:07/03/2025
                                                        Path:C:\Users\user\Desktop\7l3CafRVv7.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\7l3CafRVv7.exe"
                                                        Imagebase:0x1e0000
                                                        File size:225'792 bytes
                                                        MD5 hash:046295BE03E8DCF9EACF9BEFB7D9B4EF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1168495027.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:09:48:02
                                                        Start date:07/03/2025
                                                        Path:C:\Users\user\Desktop\7l3CafRVv7.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\7l3CafRVv7.exe"
                                                        Imagebase:0x230000
                                                        File size:225'792 bytes
                                                        MD5 hash:046295BE03E8DCF9EACF9BEFB7D9B4EF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2410109640.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2411769091.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >