Edit tour

Windows Analysis Report
TR3lYZyOE3.exe

Overview

General Information

Sample name:	TR3lYZyOE3.exe renamed because original name is a hash value
Original sample name:	57be4ec7980a2d28a02541067688d47feecf59e71fdb022aa93fe84c04429c55.exe
Analysis ID:	1631793
MD5:	80cd38e054f47508964df6f56e28d583
SHA1:	405ce42b6c9d038ea42d0d1d9d9c118c65e5ba27
SHA256:	57be4ec7980a2d28a02541067688d47feecf59e71fdb022aa93fe84c04429c55
Tags:	exeuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

System process connects to network (likely due to code injection or exploit)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Drops VBS files to the startup folder

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TR3lYZyOE3.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\TR3lYZyOE3.exe" MD5: 80CD38E054F47508964DF6F56E28D583)

Hegeleos.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\TR3lYZyOE3.exe" MD5: 80CD38E054F47508964DF6F56E28D583)

svchost.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\TR3lYZyOE3.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

Hegeleos.exe (PID: 6288 cmdline: "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe" MD5: 80CD38E054F47508964DF6F56E28D583)

svchost.exe (PID: 4088 cmdline: "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

wscript.exe (PID: 4564 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hegeleos.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Hegeleos.exe (PID: 5912 cmdline: "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe" MD5: 80CD38E054F47508964DF6F56E28D583)

svchost.exe (PID: 7152 cmdline: "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Bot Token": "7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI", "Chat id": "6443825857", "Email ID": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587", "Token": "7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI", "Chat_id": "6443825857", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1304494588.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000002.1219278739.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000005.00000002.1241609998.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword
00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data
00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x33d44:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x33d0c:$s4: _hook
00000002.00000002.1104839377.0000000003E20000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword
00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data
00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x33d44:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x33d0c:$s4: _hook
00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3673f:$a1: get_encryptedPassword 0x7e23f:$a1: get_encryptedPassword 0x36713:$a2: get_encryptedUsername 0x7e213:$a2: get_encryptedUsername 0x367d7:$a3: get_timePasswordChanged 0x7e2d7:$a3: get_timePasswordChanged 0x366ef:$a4: get_passwordField 0x7e1ef:$a4: get_passwordField 0x36755:$a5: set_encryptedPassword 0x7e255:$a5: set_encryptedPassword 0x36522:$a7: get_logins 0x7e022:$a7: get_logins 0x31de6:$a10: KeyLoggerEventArgs 0x798e6:$a10: KeyLoggerEventArgs 0x31db5:$a11: KeyLoggerEventArgsEventHandler 0x798b5:$a11: KeyLoggerEventArgsEventHandler 0x365f6:$a13: _encryptedPassword 0x7e0f6:$a13: _encryptedPassword
00000004.00000002.1124492692.0000000002F50000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000009.00000002.1306003093.00000000055E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000005.00000002.1243237842.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361dd:$a1: get_encryptedPassword 0x361b1:$a2: get_encryptedUsername 0x36275:$a3: get_timePasswordChanged 0x3618d:$a4: get_passwordField 0x361f3:$a5: set_encryptedPassword 0x35fc0:$a7: get_logins 0x31884:$a10: KeyLoggerEventArgs 0x31853:$a11: KeyLoggerEventArgsEventHandler 0x36094:$a13: _encryptedPassword
00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword
00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data
00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x33d44:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x33d0c:$s4: _hook
00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword
00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data
00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x33d44:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x33d0c:$s4: _hook
00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361dd:$a1: get_encryptedPassword 0x361b1:$a2: get_encryptedUsername 0x36275:$a3: get_timePasswordChanged 0x3618d:$a4: get_passwordField 0x361f3:$a5: set_encryptedPassword 0x35fc0:$a7: get_logins 0x31884:$a10: KeyLoggerEventArgs 0x31853:$a11: KeyLoggerEventArgsEventHandler 0x36094:$a13: _encryptedPassword
00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3673f:$a1: get_encryptedPassword 0x7e23f:$a1: get_encryptedPassword 0x36713:$a2: get_encryptedUsername 0x7e213:$a2: get_encryptedUsername 0x367d7:$a3: get_timePasswordChanged 0x7e2d7:$a3: get_timePasswordChanged 0x366ef:$a4: get_passwordField 0x7e1ef:$a4: get_passwordField 0x36755:$a5: set_encryptedPassword 0x7e255:$a5: set_encryptedPassword 0x36522:$a7: get_logins 0x7e022:$a7: get_logins 0x31de6:$a10: KeyLoggerEventArgs 0x798e6:$a10: KeyLoggerEventArgs 0x31db5:$a11: KeyLoggerEventArgsEventHandler 0x798b5:$a11: KeyLoggerEventArgsEventHandler 0x365f6:$a13: _encryptedPassword 0x7e0f6:$a13: _encryptedPassword
Process Memory Space: svchost.exe PID: 4088	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 4088	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: svchost.exe PID: 4088	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: svchost.exe PID: 4088	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x131a5:$a1: get_encryptedPassword 0x4687b:$a1: get_encryptedPassword 0x5a010:$a1: get_encryptedPassword 0x66f8f:$a1: get_encryptedPassword 0x72d4b:$a1: get_encryptedPassword 0x13179:$a2: get_encryptedUsername 0x4684f:$a2: get_encryptedUsername 0x59fe4:$a2: get_encryptedUsername 0x66f63:$a2: get_encryptedUsername 0x72d1f:$a2: get_encryptedUsername 0x1323d:$a3: get_timePasswordChanged 0x46913:$a3: get_timePasswordChanged 0x5a0a8:$a3: get_timePasswordChanged 0x67027:$a3: get_timePasswordChanged 0x72de3:$a3: get_timePasswordChanged 0x13155:$a4: get_passwordField 0x4682b:$a4: get_passwordField 0x59fc0:$a4: get_passwordField 0x66f3f:$a4: get_passwordField 0x72cfb:$a4: get_passwordField 0x131bb:$a5: set_encryptedPassword
Process Memory Space: svchost.exe PID: 7152	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost.exe PID: 7152	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: svchost.exe PID: 7152	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: svchost.exe PID: 7152	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x54b5:$a1: get_encryptedPassword 0x24591:$a1: get_encryptedPassword 0x4ff08:$a1: get_encryptedPassword 0x5c1d3:$a1: get_encryptedPassword 0x7424b:$a1: get_encryptedPassword 0x5489:$a2: get_encryptedUsername 0x24565:$a2: get_encryptedUsername 0x4fedc:$a2: get_encryptedUsername 0x5c1a7:$a2: get_encryptedUsername 0x7421f:$a2: get_encryptedUsername 0x554d:$a3: get_timePasswordChanged 0x24629:$a3: get_timePasswordChanged 0x4ffa0:$a3: get_timePasswordChanged 0x5c26b:$a3: get_timePasswordChanged 0x742e3:$a3: get_timePasswordChanged 0x5465:$a4: get_passwordField 0x24541:$a4: get_passwordField 0x4feb8:$a4: get_passwordField 0x5c183:$a4: get_passwordField 0x741fb:$a4: get_passwordField 0x54cb:$a5: set_encryptedPassword
Click to see the 62 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.svchost.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
9.3.svchost.exe.345cf20.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.svchost.exe.345cf20.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.3.svchost.exe.345cf20.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.3.svchost.exe.345cf20.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
9.3.svchost.exe.345cf20.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
9.3.svchost.exe.345cf20.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
5.2.svchost.exe.2b74f2e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.2b74f2e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.2b74f2e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.2b74f2e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
5.2.svchost.exe.2b74f2e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
9.3.svchost.exe.345cf20.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.svchost.exe.345cf20.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.3.svchost.exe.345cf20.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.2b74f2e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
9.3.svchost.exe.345cf20.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
9.3.svchost.exe.345cf20.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
9.3.svchost.exe.345cf20.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
5.3.svchost.exe.2a5ff20.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.3.svchost.exe.2a5ff20.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.3.svchost.exe.2a5ff20.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.3.svchost.exe.2a5ff20.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
5.3.svchost.exe.2a5ff20.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
5.3.svchost.exe.2a5ff20.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
9.2.svchost.exe.7f40000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.7f40000.7.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.7f40000.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.7f40000.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
9.2.svchost.exe.7f40000.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.7f40000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
9.3.svchost.exe.345c000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.svchost.exe.345c000.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.3.svchost.exe.345c000.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.3.svchost.exe.345c000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword
9.2.svchost.exe.3574f2e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.3574f2e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.3574f2e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.3.svchost.exe.345c000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data
9.3.svchost.exe.345c000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x33d44:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x33d0c:$s4: _hook
5.2.svchost.exe.5b8df90.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.5b8df90.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.5b8df90.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.5b8df90.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
5.2.svchost.exe.5b8df90.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.3574f2e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
9.2.svchost.exe.3574f2e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.3574f2e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
5.2.svchost.exe.5b8df90.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
9.2.svchost.exe.7b80000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.7b80000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.7b80000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.71b0000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.71b0000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.71b0000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.71b0000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword
5.2.svchost.exe.71b0000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.71b0000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x33d44:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x33d0c:$s4: _hook
9.2.svchost.exe.7b80000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword
9.2.svchost.exe.7b80000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.7b80000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x33d44:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x33d0c:$s4: _hook
5.3.svchost.exe.2a5f000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.3.svchost.exe.2a5f000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.3.svchost.exe.2a5f000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.3.svchost.exe.2a5f000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x343cf:$a1: get_encryptedPassword 0x343a3:$a2: get_encryptedUsername 0x34467:$a3: get_timePasswordChanged 0x3437f:$a4: get_passwordField 0x343e5:$a5: set_encryptedPassword 0x341b2:$a7: get_logins 0x2fa76:$a10: KeyLoggerEventArgs 0x2fa45:$a11: KeyLoggerEventArgsEventHandler 0x34286:$a13: _encryptedPassword
5.3.svchost.exe.2a5f000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e1a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d844:$a3: \Google\Chrome\User Data\Default\Login Data 0x3daa1:$a4: \Orbitum\User Data\Default\Login Data 0x3e480:$a5: \Kometa\User Data\Default\Login Data
5.3.svchost.exe.2a5f000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31fa8:$s1: UnHook 0x31f44:$s2: SetHook 0x31f7d:$s3: CallNextHook 0x31f0c:$s4: _hook
5.2.svchost.exe.71b0f20.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.71b0f20.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.71b0f20.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.71b0f20.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
5.2.svchost.exe.71b0f20.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.71b0f20.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
9.2.svchost.exe.7b80f20.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.7b80f20.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.7b80f20.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.7b80f20.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
9.2.svchost.exe.7b80f20.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.7b80f20.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
7.2.Hegeleos.exe.2bf0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.svchost.exe.7b80f20.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.7b80f20.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.7b80f20.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.7b80f20.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
9.2.svchost.exe.7b80f20.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.7b80f20.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
2.2.Hegeleos.exe.3e20000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.svchost.exe.7b80000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.7b80000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.7b80000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.7b80000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x343cf:$a1: get_encryptedPassword 0x343a3:$a2: get_encryptedUsername 0x34467:$a3: get_timePasswordChanged 0x3437f:$a4: get_passwordField 0x343e5:$a5: set_encryptedPassword 0x341b2:$a7: get_logins 0x2fa76:$a10: KeyLoggerEventArgs 0x2fa45:$a11: KeyLoggerEventArgsEventHandler 0x34286:$a13: _encryptedPassword
9.2.svchost.exe.7b80000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e1a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d844:$a3: \Google\Chrome\User Data\Default\Login Data 0x3daa1:$a4: \Orbitum\User Data\Default\Login Data 0x3e480:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.7b80000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31fa8:$s1: UnHook 0x31f44:$s2: SetHook 0x31f7d:$s3: CallNextHook 0x31f0c:$s4: _hook
5.2.svchost.exe.71b0f20.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.71b0f20.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.71b0f20.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.71b0f20.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
5.2.svchost.exe.71b0f20.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.71b0f20.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
4.2.Hegeleos.exe.2f50000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.svchost.exe.7f40000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.7f40000.7.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.7f40000.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.7f40000.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
9.2.svchost.exe.7f40000.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.7f40000.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
5.3.svchost.exe.2a5f000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.3.svchost.exe.2a5f000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.3.svchost.exe.2a5f000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.3.svchost.exe.2a5f000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword
5.3.svchost.exe.2a5f000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data
5.3.svchost.exe.2a5f000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x33d44:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x33d0c:$s4: _hook
5.2.svchost.exe.7470000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.7470000.7.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.7470000.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.7470000.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
5.2.svchost.exe.7470000.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.7470000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
5.2.svchost.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
5.2.svchost.exe.5b8df90.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.5b8df90.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.5b8df90.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.5b8df90.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
5.2.svchost.exe.5b8df90.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.5b8df90.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
5.2.svchost.exe.5b46490.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.5b46490.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.5b46490.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.5b46490.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
5.2.svchost.exe.5b46490.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.5b46490.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
9.2.svchost.exe.662df90.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.662df90.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.662df90.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.662df90.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
9.2.svchost.exe.662df90.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.662df90.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
9.2.svchost.exe.65e5570.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.65e5570.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.65e5570.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.65e5570.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x7dccf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x7dca3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x7dd67:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x7dc7f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x7dce5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x7dab2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x79376:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x79345:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword 0x7db86:$a13: _encryptedPassword
9.2.svchost.exe.65e5570.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x87aa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x87144:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x873a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data 0x87d80:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.65e5570.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x7b8a8:$s1: UnHook 0x33d44:$s2: SetHook 0x7b844:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x7b87d:$s3: CallNextHook 0x33d0c:$s4: _hook 0x7b80c:$s4: _hook
5.2.svchost.exe.5b45570.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.5b45570.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.5b45570.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.2b74f2e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.2b74f2e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.2b74f2e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.2b74f2e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
5.2.svchost.exe.5b45570.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x7dccf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x7dca3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x7dd67:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x7dc7f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x7dce5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x7dab2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x79376:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x79345:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword 0x7db86:$a13: _encryptedPassword
5.2.svchost.exe.2b74f2e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.5b45570.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x87aa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x87144:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x873a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data 0x87d80:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.2b74f2e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
5.2.svchost.exe.5b45570.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x7b8a8:$s1: UnHook 0x33d44:$s2: SetHook 0x7b844:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x7b87d:$s3: CallNextHook 0x33d0c:$s4: _hook 0x7b80c:$s4: _hook
5.2.svchost.exe.71b0000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.71b0000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.71b0000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.71b0000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x343cf:$a1: get_encryptedPassword 0x343a3:$a2: get_encryptedUsername 0x34467:$a3: get_timePasswordChanged 0x3437f:$a4: get_passwordField 0x343e5:$a5: set_encryptedPassword 0x341b2:$a7: get_logins 0x2fa76:$a10: KeyLoggerEventArgs 0x2fa45:$a11: KeyLoggerEventArgsEventHandler 0x34286:$a13: _encryptedPassword
5.2.svchost.exe.71b0000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e1a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d844:$a3: \Google\Chrome\User Data\Default\Login Data 0x3daa1:$a4: \Orbitum\User Data\Default\Login Data 0x3e480:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.71b0000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31fa8:$s1: UnHook 0x31f44:$s2: SetHook 0x31f7d:$s3: CallNextHook 0x31f0c:$s4: _hook
5.2.svchost.exe.7470000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.7470000.7.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.7470000.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.7470000.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
5.2.svchost.exe.7470000.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.7470000.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
5.2.svchost.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
5.2.svchost.exe.5b45570.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.5b45570.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.5b45570.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.5b45570.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x343cf:$a1: get_encryptedPassword 0x343a3:$a2: get_encryptedUsername 0x34467:$a3: get_timePasswordChanged 0x3437f:$a4: get_passwordField 0x343e5:$a5: set_encryptedPassword 0x341b2:$a7: get_logins 0x2fa76:$a10: KeyLoggerEventArgs 0x2fa45:$a11: KeyLoggerEventArgsEventHandler 0x34286:$a13: _encryptedPassword
5.2.svchost.exe.5b45570.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e1a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d844:$a3: \Google\Chrome\User Data\Default\Login Data 0x3daa1:$a4: \Orbitum\User Data\Default\Login Data 0x3e480:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.5b45570.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31fa8:$s1: UnHook 0x31f44:$s2: SetHook 0x31f7d:$s3: CallNextHook 0x31f0c:$s4: _hook
5.2.svchost.exe.5b46490.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.svchost.exe.5b46490.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.2.svchost.exe.5b46490.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.svchost.exe.5b46490.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x7cdaf:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x7cd83:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x7ce47:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x7cd5f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x7cdc5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x7cb92:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x78456:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x78425:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword 0x7cc66:$a13: _encryptedPassword
5.2.svchost.exe.5b46490.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x86b81:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x86224:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x86481:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data 0x86e60:$a5: \Kometa\User Data\Default\Login Data
5.2.svchost.exe.5b46490.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x7a988:$s1: UnHook 0x32e24:$s2: SetHook 0x7a924:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x7a95d:$s3: CallNextHook 0x32dec:$s4: _hook 0x7a8ec:$s4: _hook
9.2.svchost.exe.65e6490.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.65e6490.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.65e6490.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.65e6490.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
9.2.svchost.exe.65e6490.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.65e6490.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
9.2.svchost.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.3.svchost.exe.345c000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.3.svchost.exe.345c000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.3.svchost.exe.345c000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.3.svchost.exe.345c000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x343cf:$a1: get_encryptedPassword 0x343a3:$a2: get_encryptedUsername 0x34467:$a3: get_timePasswordChanged 0x3437f:$a4: get_passwordField 0x343e5:$a5: set_encryptedPassword 0x341b2:$a7: get_logins 0x2fa76:$a10: KeyLoggerEventArgs 0x2fa45:$a11: KeyLoggerEventArgsEventHandler 0x34286:$a13: _encryptedPassword
9.3.svchost.exe.345c000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e1a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d844:$a3: \Google\Chrome\User Data\Default\Login Data 0x3daa1:$a4: \Orbitum\User Data\Default\Login Data 0x3e480:$a5: \Kometa\User Data\Default\Login Data
9.3.svchost.exe.345c000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31fa8:$s1: UnHook 0x31f44:$s2: SetHook 0x31f7d:$s3: CallNextHook 0x31f0c:$s4: _hook
9.2.svchost.exe.3574f2e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.3574f2e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.3574f2e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.3574f2e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
9.2.svchost.exe.3574f2e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.3574f2e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
9.2.svchost.exe.65e5570.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.65e5570.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.65e5570.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.65e5570.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x343cf:$a1: get_encryptedPassword 0x343a3:$a2: get_encryptedUsername 0x34467:$a3: get_timePasswordChanged 0x3437f:$a4: get_passwordField 0x343e5:$a5: set_encryptedPassword 0x341b2:$a7: get_logins 0x2fa76:$a10: KeyLoggerEventArgs 0x2fa45:$a11: KeyLoggerEventArgsEventHandler 0x34286:$a13: _encryptedPassword
9.2.svchost.exe.65e5570.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e1a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d844:$a3: \Google\Chrome\User Data\Default\Login Data 0x3daa1:$a4: \Orbitum\User Data\Default\Login Data 0x3e480:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.65e5570.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31fa8:$s1: UnHook 0x31f44:$s2: SetHook 0x31f7d:$s3: CallNextHook 0x31f0c:$s4: _hook
5.3.svchost.exe.2a5ff20.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.3.svchost.exe.2a5ff20.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
5.3.svchost.exe.2a5ff20.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.3.svchost.exe.2a5ff20.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
5.3.svchost.exe.2a5ff20.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
5.3.svchost.exe.2a5ff20.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
9.2.svchost.exe.65e6490.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.65e6490.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.65e6490.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.65e6490.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x7cdaf:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x7cd83:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x7ce47:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x7cd5f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x7cdc5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x7cb92:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x78456:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x78425:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword 0x7cc66:$a13: _encryptedPassword
9.2.svchost.exe.65e6490.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x86b81:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x86224:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x86481:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data 0x86e60:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.65e6490.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x7a988:$s1: UnHook 0x32e24:$s2: SetHook 0x7a924:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x7a95d:$s3: CallNextHook 0x32dec:$s4: _hook 0x7a8ec:$s4: _hook
9.2.svchost.exe.662df90.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.svchost.exe.662df90.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
9.2.svchost.exe.662df90.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
9.2.svchost.exe.662df90.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
9.2.svchost.exe.662df90.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
9.2.svchost.exe.662df90.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
Click to see the 218 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hegeleos.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hegeleos.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4076, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hegeleos.vbs" , ProcessId: 4564, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\TR3lYZyOE3.exe", CommandLine: "C:\Users\user\Desktop\TR3lYZyOE3.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TR3lYZyOE3.exe", ParentImage: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe, ParentProcessId: 7164, ParentProcessName: Hegeleos.exe, ProcessCommandLine: "C:\Users\user\Desktop\TR3lYZyOE3.exe", ProcessId: 6284, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hegeleos.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hegeleos.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4076, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hegeleos.vbs" , ProcessId: 4564, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\TR3lYZyOE3.exe", CommandLine: "C:\Users\user\Desktop\TR3lYZyOE3.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TR3lYZyOE3.exe", ParentImage: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe, ParentProcessId: 7164, ParentProcessName: Hegeleos.exe, ProcessCommandLine: "C:\Users\user\Desktop\TR3lYZyOE3.exe", ProcessId: 6284, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe, ProcessId: 7164, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hegeleos.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: TR3lYZyOE3.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe

Avira: detection malicious, Label: TR/AD.ShellcodeCrypter.yqnyr

Found malware configuration

Source: 00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Bot Token": "7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI", "Chat id": "6443825857", "Email ID": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587"}
Source: 00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587", "Token": "7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI", "Chat_id": "6443825857", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Virustotal: Detection: 72%			Perma Link

Multi AV Scanner detection for submitted file

Source: TR3lYZyOE3.exe	Virustotal: Detection: 72%			Perma Link
Source: TR3lYZyOE3.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 5.3.svchost.exe.2a5f000.1.unpack	String decryptor: sales-nguyen@vvtrade.vn
Source: 5.3.svchost.exe.2a5f000.1.unpack	String decryptor: qVyP6qyv6MQCmZJBRs4t
Source: 5.3.svchost.exe.2a5f000.1.unpack	String decryptor: mail.vvtrade.vn
Source: 5.3.svchost.exe.2a5f000.1.unpack	String decryptor: saleseuropower@yandex.com
Source: 5.3.svchost.exe.2a5f000.1.unpack	String decryptor: 587
Source: 5.3.svchost.exe.2a5f000.1.unpack	String decryptor: 7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI
Source: 5.3.svchost.exe.2a5f000.1.unpack	String decryptor: 6443825857
Source: 5.3.svchost.exe.2a5f000.1.unpack	String decryptor:

Source: TR3lYZyOE3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb\??\C:\Windows\Fonts\staticcache.dat source: svchost.exe, 00000005.00000002.1242307413.0000000002A83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbC:\Windows\assembly\GAC_64 source: svchost.exe, 00000009.00000003.1274782575.00000000034EC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: svchost.exe, 00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Hegeleos.exe, 00000002.00000003.1103230603.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Hegeleos.exe, 00000002.00000003.1102923247.0000000004000000.00000004.00001000.00020000.00000000.sdmp, Hegeleos.exe, 00000004.00000003.1120950370.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, Hegeleos.exe, 00000004.00000003.1119985209.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, Hegeleos.exe, 00000007.00000003.1215461077.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, Hegeleos.exe, 00000007.00000003.1218286961.0000000004070000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Hegeleos.exe, 00000002.00000003.1103230603.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, Hegeleos.exe, 00000002.00000003.1102923247.0000000004000000.00000004.00001000.00020000.00000000.sdmp, Hegeleos.exe, 00000004.00000003.1120950370.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, Hegeleos.exe, 00000004.00000003.1119985209.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, Hegeleos.exe, 00000007.00000003.1215461077.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, Hegeleos.exe, 00000007.00000003.1218286961.0000000004070000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_004339B6
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_00452492
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00442886
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_004788BD
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	2_2_0045CAFA
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00431A86
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	2_2_0044BD27
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0045DE8F FindFirstFileW,FindClose,	2_2_0045DE8F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0044BF8B
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	4_2_004339B6
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	4_2_00452492
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_00442886
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	4_2_004788BD
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	4_2_0045CAFA
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_00431A86
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	4_2_0044BD27
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0045DE8F FindFirstFileW,FindClose,	4_2_0045DE8F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_0044BF8B

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 158.101.44.242 80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: svchost.exe, 00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: svchost.exe, 00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243237842.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306003093.00000000055E1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: svchost.exe, 00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243237842.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306003093.00000000055E1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: svchost.exe, 00000005.00000002.1243237842.0000000004C07000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306003093.00000000056A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: svchost.exe, 00000005.00000002.1243237842.0000000004BF3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243237842.0000000004C07000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306003093.00000000056A7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306003093.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: svchost.exe, 00000005.00000002.1243237842.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306003093.00000000055E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: svchost.exe, 00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000005.00000002.1243237842.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306003093.00000000055E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243237842.0000000004B41000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306003093.00000000055E1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: svchost.exe, 00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: svchost.exe, 00000005.00000002.1243397567.0000000005B45000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1123909091.0000000002A5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.1243612016.00000000071B0000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1244057705.0000000007470000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000005.00000002.1242545788.0000000002B74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306752473.0000000007B80000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000003.1219174380.000000000345C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1307281485.0000000007F40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.1305315065.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1306220026.00000000065E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_0045A10F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	2_2_0045A10F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	4_2_0045A10F

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,	0_2_0047C81C
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,	2_2_0047C81C
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	4_2_0047C81C

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0046A07E PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_0046A07E
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004710F1 NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_004710F1
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0045034C GetParent,NtdllDialogWndProc_W,	0_2_0045034C
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0044036A NtdllDialogWndProc_W,	0_2_0044036A
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00440306 NtdllDialogWndProc_W,	0_2_00440306
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0047132F NtdllDialogWndProc_W,	0_2_0047132F
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00440338 NtdllDialogWndProc_W,	0_2_00440338
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0046A38E NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_0046A38E
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0045039B GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_0045039B
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004404E8 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	0_2_004404E8
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0044048E NtdllDialogWndProc_W,	0_2_0044048E
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0044786A NtdllDialogWndProc_W,	0_2_0044786A
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,	0_2_0047C81C
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004478AC GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,	0_2_004478AC
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004479A0 GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,	0_2_004479A0
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004629B7 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	0_2_004629B7
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0047EA6F NtdllDialogWndProc_W,	0_2_0047EA6F
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00447ABC SendMessageW,NtdllDialogWndProc_W,	0_2_00447ABC
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00447B4E NtdllDialogWndProc_W,	0_2_00447B4E
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00454CFC NtdllDialogWndProc_W,	0_2_00454CFC
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00454D4A NtdllDialogWndProc_W,	0_2_00454D4A
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0042FDA6 ClientToScreen,NtdllDialogWndProc_W,	0_2_0042FDA6
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0042FE05 NtdllDialogWndProc_W,	0_2_0042FE05
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00470E96 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_00470E96
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0046A07E PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	2_2_0046A07E
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004710F1 NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	2_2_004710F1
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0045034C GetParent,NtdllDialogWndProc_W,	2_2_0045034C
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0044036A NtdllDialogWndProc_W,	2_2_0044036A
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00440306 NtdllDialogWndProc_W,	2_2_00440306
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0047132F NtdllDialogWndProc_W,	2_2_0047132F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00440338 NtdllDialogWndProc_W,	2_2_00440338
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0046A38E NtdllDialogWndProc_W,NtdllDialogWndProc_W,	2_2_0046A38E
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0045039B GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,	2_2_0045039B
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004404E8 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	2_2_004404E8
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0044048E NtdllDialogWndProc_W,	2_2_0044048E
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0044786A NtdllDialogWndProc_W,	2_2_0044786A
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,	2_2_0047C81C
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004478AC GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,	2_2_004478AC
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004479A0 GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,	2_2_004479A0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004629B7 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	2_2_004629B7
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0047EA6F NtdllDialogWndProc_W,	2_2_0047EA6F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00447ABC SendMessageW,NtdllDialogWndProc_W,	2_2_00447ABC
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00447B4E NtdllDialogWndProc_W,	2_2_00447B4E
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00454CFC NtdllDialogWndProc_W,	2_2_00454CFC
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00454D4A NtdllDialogWndProc_W,	2_2_00454D4A
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0042FDA6 ClientToScreen,NtdllDialogWndProc_W,	2_2_0042FDA6
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0042FE05 NtdllDialogWndProc_W,	2_2_0042FE05
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00470E96 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	2_2_00470E96
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00401100 NtdllDefWindowProc_W,KillTimer,PostQuitMessage,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,	4_2_00401100
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0046A07E PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	4_2_0046A07E
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004710F1 NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	4_2_004710F1
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0045034C GetParent,NtdllDialogWndProc_W,	4_2_0045034C
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0044036A NtdllDialogWndProc_W,	4_2_0044036A
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00440306 NtdllDialogWndProc_W,	4_2_00440306
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0047132F NtdllDialogWndProc_W,	4_2_0047132F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00440338 NtdllDialogWndProc_W,	4_2_00440338
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0046A38E NtdllDialogWndProc_W,NtdllDialogWndProc_W,	4_2_0046A38E
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0045039B GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,	4_2_0045039B
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004404E8 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,	4_2_004404E8
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0044048E NtdllDialogWndProc_W,	4_2_0044048E
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0044786A NtdllDialogWndProc_W,	4_2_0044786A
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	4_2_0047C81C
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004478AC GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,	4_2_004478AC
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004479A0 GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,	4_2_004479A0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004629B7 NtdllDialogWndProc_W,NtdllDialogWndProc_W,	4_2_004629B7
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0047EA6F NtdllDialogWndProc_W,	4_2_0047EA6F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00447ABC SendMessageW,NtdllDialogWndProc_W,	4_2_00447ABC
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00447B4E NtdllDialogWndProc_W,	4_2_00447B4E
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00454CFC NtdllDialogWndProc_W,	4_2_00454CFC
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00454D4A NtdllDialogWndProc_W,	4_2_00454D4A
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0042FDA6 ClientToScreen,NtdllDialogWndProc_W,	4_2_0042FDA6
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0042FE05 GetWindowLongW,NtdllDialogWndProc_W,	4_2_0042FE05
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00470E96 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	4_2_00470E96

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	0_2_004333BE
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	2_2_004333BE
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,	4_2_004333BE

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004096A0	0_2_004096A0
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0042200C	0_2_0042200C
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00404170	0_2_00404170
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0041A217	0_2_0041A217
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00412216	0_2_00412216
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0042435D	0_2_0042435D
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004033C0	0_2_004033C0
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0044F430	0_2_0044F430
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004125E8	0_2_004125E8
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0044663B	0_2_0044663B
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00413801	0_2_00413801
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0042096F	0_2_0042096F
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004129D0	0_2_004129D0
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_004119E3	0_2_004119E3
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0041C9AE	0_2_0041C9AE
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0047EA6F	0_2_0047EA6F
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0040FA10	0_2_0040FA10
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0044EB5F	0_2_0044EB5F
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00423C81	0_2_00423C81
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00411E78	0_2_00411E78
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00442E0C	0_2_00442E0C
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00420EC0	0_2_00420EC0
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0044CF17	0_2_0044CF17
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00444FD2	0_2_00444FD2
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_02F43650	0_2_02F43650
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004096A0	2_2_004096A0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0042200C	2_2_0042200C
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00404170	2_2_00404170
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0041A217	2_2_0041A217
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00412216	2_2_00412216
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0042435D	2_2_0042435D
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004033C0	2_2_004033C0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0044F430	2_2_0044F430
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004125E8	2_2_004125E8
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0044663B	2_2_0044663B
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00413801	2_2_00413801
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0042096F	2_2_0042096F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004129D0	2_2_004129D0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_004119E3	2_2_004119E3
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0041C9AE	2_2_0041C9AE
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0047EA6F	2_2_0047EA6F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0040FA10	2_2_0040FA10
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0044EB5F	2_2_0044EB5F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00423C81	2_2_00423C81
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00411E78	2_2_00411E78
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00442E0C	2_2_00442E0C
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00420EC0	2_2_00420EC0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0044CF17	2_2_0044CF17
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00444FD2	2_2_00444FD2
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_03E13650	2_2_03E13650
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004096A0	4_2_004096A0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0042200C	4_2_0042200C
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00404170	4_2_00404170
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0041A217	4_2_0041A217
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00412216	4_2_00412216
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0042435D	4_2_0042435D
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004033C0	4_2_004033C0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0044F430	4_2_0044F430
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004125E8	4_2_004125E8
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0044663B	4_2_0044663B
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00413801	4_2_00413801
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0042096F	4_2_0042096F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004129D0	4_2_004129D0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_004119E3	4_2_004119E3
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0041C9AE	4_2_0041C9AE
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0047EA6F	4_2_0047EA6F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0040FA10	4_2_0040FA10
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0044EB5F	4_2_0044EB5F
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00423C81	4_2_00423C81
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00411E78	4_2_00411E78
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00442E0C	4_2_00442E0C
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00420EC0	4_2_00420EC0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0044CF17	4_2_0044CF17
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00444FD2	4_2_00444FD2
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00C33650	4_2_00C33650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00408C60	5_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040DC11	5_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00407C3F	5_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00418CCC	5_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00406CA0	5_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004028B0	5_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0041A4BE	5_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00418244	5_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00401650	5_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402F20	5_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004193C4	5_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00418788	5_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402F89	5_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00402B90	5_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004073A0	5_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_045D4320	5_2_045D4320
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_045D2EF8	5_2_045D2EF8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_045DC9D8	5_2_045DC9D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_045DC9C9	5_2_045DC9C9
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 7_2_02AC3650	7_2_02AC3650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00418244	9_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00401650	9_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00418788	9_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_07B04311	9_2_07B04311
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_07B02EF8	9_2_07B02EF8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_07B0C9D8	9_2_07B0C9D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_07B0C9C9	9_2_07B0C9C9

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0040D606 appears 48 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0040E1D8 appears 88 times
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: String function: 004115D7 appears 36 times
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: String function: 00416C70 appears 39 times
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: String function: 00445AE0 appears 65 times
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: String function: 0040E710 appears 44 times
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: String function: 00401B10 appears 50 times
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: String function: 00408F40 appears 38 times
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: String function: 004301F8 appears 36 times
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: String function: 004115D7 appears 72 times
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: String function: 00416C70 appears 78 times
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: String function: 004181F2 appears 42 times
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: String function: 00445AE0 appears 130 times
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: String function: 0041341F appears 36 times
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: String function: 00422240 appears 38 times

Source: TR3lYZyOE3.exe	Static PE information: Section: UPX1 ZLIB complexity 0.9920951973062382
Source: Hegeleos.exe.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9920951973062382

Source: 5.2.svchost.exe.5b8df90.2.raw.unpack, -k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.5b8df90.2.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.5b8df90.2.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.2b74f2e.1.raw.unpack, -k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.2b74f2e.1.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.2b74f2e.1.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.71b0f20.5.raw.unpack, -k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.71b0f20.5.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.71b0f20.5.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.7470000.7.raw.unpack, -k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.7470000.7.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.svchost.exe.7470000.7.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Command line argument: -u	0_2_0040D6B0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Command line argument: -u	2_2_0040D6B0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Command line argument: -u	4_2_0040D6B0

Source: unknown	Process created: C:\Users\user\Desktop\TR3lYZyOE3.exe "C:\Users\user\Desktop\TR3lYZyOE3.exe"
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Process created: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe "C:\Users\user\Desktop\TR3lYZyOE3.exe"
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TR3lYZyOE3.exe"
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Process created: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe"
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hegeleos.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe"
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe"
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Process created: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe "C:\Users\user\Desktop\TR3lYZyOE3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TR3lYZyOE3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Process created: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Automated click: OK
Source: C:\Windows\SysWOW64\svchost.exe	Automated click: OK

Source: 5.2.svchost.exe.71b0000.6.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 5.2.svchost.exe.5b45570.3.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])
Source: 5.3.svchost.exe.2a5f000.1.raw.unpack, _.cs	.Net Code: ___ System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00416CB5 push ecx; ret	0_2_00416CC8
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00416CB5 push ecx; ret	2_2_00416CC8
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00416CB5 push ecx; ret	4_2_00416CC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0041C40C push cs; iretd	5_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00423149 push eax; ret	5_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0041C50E push cs; iretd	5_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004231C8 push eax; ret	5_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040E21D push ecx; ret	5_2_0040E230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0041C6BE push ebx; ret	5_2_0041C6BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0041C40C push cs; iretd	9_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00423149 push eax; ret	9_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0041C50E push cs; iretd	9_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_004231C8 push eax; ret	9_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0040E21D push ecx; ret	9_2_0040E230
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0041C6BE push ebx; ret	9_2_0041C6BF

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_0047A330
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00434418
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_0047A330
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00434418
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	4_2_0047A330
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,	4_2_00434418

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	API/Special instruction interceptor: Address: 3E13274
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	API/Special instruction interceptor: Address: C33274
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	API/Special instruction interceptor: Address: 2AC3274

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TR3lYZyOE3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
TR3lYZyOE3.exe

Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 45D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 4B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 6B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 55E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 55E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory allocated: 75E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-87613

Source: C:\Windows\SysWOW64\svchost.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\svchost.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	API coverage: 4.2 %
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	API coverage: 4.1 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 3720	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7012	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: svchost.exe, 00000009.00000002.1305267009.00000000034EE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1274782575.00000000034EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000006.00000002.1192964286.000001B2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5d-
Source: svchost.exe, 00000009.00000002.1304979352.0000000003454000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltes>
Source: Hegeleos.exe, 00000002.00000002.1104558386.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.1242214951.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD#

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	API call chain: ExitProcess graph end node	graph_0-86720
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_02F434E0 mov eax, dword ptr fs:[00000030h]	0_2_02F434E0
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_02F43540 mov eax, dword ptr fs:[00000030h]	0_2_02F43540
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_02F41EA0 mov eax, dword ptr fs:[00000030h]	0_2_02F41EA0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_03E13540 mov eax, dword ptr fs:[00000030h]	2_2_03E13540
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_03E134E0 mov eax, dword ptr fs:[00000030h]	2_2_03E134E0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_03E11EA0 mov eax, dword ptr fs:[00000030h]	2_2_03E11EA0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00C334E0 mov eax, dword ptr fs:[00000030h]	4_2_00C334E0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00C33540 mov eax, dword ptr fs:[00000030h]	4_2_00C33540
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00C31EA0 mov eax, dword ptr fs:[00000030h]	4_2_00C31EA0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 7_2_02AC1EA0 mov eax, dword ptr fs:[00000030h]	7_2_02AC1EA0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 7_2_02AC34E0 mov eax, dword ptr fs:[00000030h]	7_2_02AC34E0
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 7_2_02AC3540 mov eax, dword ptr fs:[00000030h]	7_2_02AC3540

Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0041F250 SetUnhandledExceptionFilter,	0_2_0041F250
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041A208
Source: C:\Users\user\Desktop\TR3lYZyOE3.exe	Code function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00417DAA
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0041F250 SetUnhandledExceptionFilter,	2_2_0041F250
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041A208
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 2_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00417DAA
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0041F250 SetUnhandledExceptionFilter,	4_2_0041F250
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0041A208
Source: C:\Users\user\AppData\Local\bankrupture\Hegeleos.exe	Code function: 4_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00417DAA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 5_2_004123F1 SetUnhandledExceptionFilter,	5_2_004123F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1