Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
s6R3Xjt79e.exe

Overview

General Information

Sample name:s6R3Xjt79e.exe
renamed because original name is a hash value
Original sample name:1ba25e6d23cb600dfda66b881fce262fa4648a35503aefaefd4b7296c27f4de1.exe
Analysis ID:1632368
MD5:a9bb0e77948d245a6ef7570484817029
SHA1:d9e5a600ac3d8f44c6449a83ea659f09ee010bad
SHA256:1ba25e6d23cb600dfda66b881fce262fa4648a35503aefaefd4b7296c27f4de1
Tags:exeMassLoggeruser-adrian__luca
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • s6R3Xjt79e.exe (PID: 6944 cmdline: "C:\Users\user\Desktop\s6R3Xjt79e.exe" MD5: A9BB0E77948D245A6EF7570484817029)
    • RegSvcs.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\s6R3Xjt79e.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "firoz@imibd.org", "Password": "4xBIZ&CyVy_K", "Server": "mail.imibd.org"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefdf:$a1: get_encryptedPassword
          • 0xf307:$a2: get_encryptedUsername
          • 0xed7a:$a3: get_timePasswordChanged
          • 0xee9b:$a4: get_passwordField
          • 0xeff5:$a5: set_encryptedPassword
          • 0x10951:$a7: get_logins
          • 0x10602:$a8: GetOutlookPasswords
          • 0x103f4:$a9: StartKeylogger
          • 0x108a1:$a10: KeyLoggerEventArgs
          • 0x10451:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  2.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf1df:$a1: get_encryptedPassword
                  • 0xf507:$a2: get_encryptedUsername
                  • 0xef7a:$a3: get_timePasswordChanged
                  • 0xf09b:$a4: get_passwordField
                  • 0xf1f5:$a5: set_encryptedPassword
                  • 0x10b51:$a7: get_logins
                  • 0x10802:$a8: GetOutlookPasswords
                  • 0x105f4:$a9: StartKeylogger
                  • 0x10aa1:$a10: KeyLoggerEventArgs
                  • 0x10651:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 13 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T22:56:02.051142+010028032742Potentially Bad Traffic192.168.2.849682132.226.247.7380TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: s6R3Xjt79e.exeAvira: detected
                  Found malware configuration
                  Source: 00000002.00000002.2116038724.0000000002F81000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "firoz@imibd.org", "Password": "4xBIZ&CyVy_K", "Server": "mail.imibd.org"}
                  Multi AV Scanner detection for submitted file
                  Source: s6R3Xjt79e.exeVirustotal: Detection: 73%Perma Link
                  Source: s6R3Xjt79e.exeReversingLabs: Detection: 65%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: s6R3Xjt79e.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49683 version: TLS 1.0
                  Source: Binary string: wntdll.pdbUGP source: s6R3Xjt79e.exe, 00000000.00000003.887021758.0000000004080000.00000004.00001000.00020000.00000000.sdmp, s6R3Xjt79e.exe, 00000000.00000003.886666890.0000000004220000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: s6R3Xjt79e.exe, 00000000.00000003.887021758.0000000004080000.00000004.00001000.00020000.00000000.sdmp, s6R3Xjt79e.exe, 00000000.00000003.886666890.0000000004220000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_001A4696
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AC93C FindFirstFileW,FindClose,0_2_001AC93C
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_001AC9C7
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001AF200
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001AF35D
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001AF65E
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001A3A2B
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001A3D4E
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001ABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001ABF27
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02D29731h2_2_02D29480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02D29E5Ah2_2_02D29A40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02D29E5Ah2_2_02D29A30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02D29E5Ah2_2_02D29D87
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                  Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                  Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49682 -> 132.226.247.73:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49683 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001B25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_001B25E2
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2116038724.0000000002FEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: s6R3Xjt79e.exe, 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.000000000301D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.000000000301D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: s6R3Xjt79e.exe, 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: s6R3Xjt79e.exe, 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001B425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001B425A
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001B4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_001B4458
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001B425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001B425A
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_001A0219
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001CCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_001CCDAC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: Process Memory Space: s6R3Xjt79e.exe PID: 6944, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 7120, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: This is a third-party compiled AutoIt script.0_2_00143B4C
                  Source: s6R3Xjt79e.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: s6R3Xjt79e.exe, 00000000.00000000.871014834.00000000001F5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0812c85e-7
                  Source: s6R3Xjt79e.exe, 00000000.00000000.871014834.00000000001F5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_82a7e73e-a
                  Source: s6R3Xjt79e.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_128760bc-d
                  Source: s6R3Xjt79e.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_852c7a26-6
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_001A4021
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00198858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00198858
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_001A545F
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0014E8000_2_0014E800
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0016DBB50_2_0016DBB5
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0014FE400_2_0014FE40
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001C804A0_2_001C804A
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0014E0600_2_0014E060
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001541400_2_00154140
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001624050_2_00162405
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001765220_2_00176522
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0017267E0_2_0017267E
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001C06650_2_001C0665
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0016283A0_2_0016283A
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001568430_2_00156843
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001789DF0_2_001789DF
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00158A0E0_2_00158A0E
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00176A940_2_00176A94
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001C0AE20_2_001C0AE2
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A8B130_2_001A8B13
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0019EB070_2_0019EB07
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0016CD610_2_0016CD61
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001770060_2_00177006
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0015710E0_2_0015710E
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001531900_2_00153190
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001412870_2_00141287
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001633C70_2_001633C7
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0016F4190_2_0016F419
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001556800_2_00155680
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001616C40_2_001616C4
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001678D30_2_001678D3
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001558C00_2_001558C0
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00161BB80_2_00161BB8
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00179D050_2_00179D05
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00161FD00_2_00161FD0
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0016BFE60_2_0016BFE6
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_016336500_2_01633650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02D227B92_2_02D227B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02D2C5302_2_02D2C530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02D294802_2_02D29480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02D2C5212_2_02D2C521
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02D22DD12_2_02D22DD1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02D2946F2_2_02D2946F
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: String function: 00147F41 appears 35 times
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: String function: 00168B40 appears 42 times
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: String function: 00160D27 appears 70 times
                  Source: s6R3Xjt79e.exe, 00000000.00000003.887960647.000000000434D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs s6R3Xjt79e.exe
                  Source: s6R3Xjt79e.exe, 00000000.00000003.887449152.00000000041A3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs s6R3Xjt79e.exe
                  Source: s6R3Xjt79e.exe, 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs s6R3Xjt79e.exe
                  Source: s6R3Xjt79e.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: s6R3Xjt79e.exe PID: 6944, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 7120, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@2/2
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AA2D5 GetLastError,FormatMessageW,0_2_001AA2D5
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00198713 AdjustTokenPrivileges,CloseHandle,0_2_00198713
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00198CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00198CC3
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_001AB59E
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001BF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_001BF121
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_001AC602
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00144FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00144FE9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeFile created: C:\Users\user\AppData\Local\Temp\autECBF.tmpJump to behavior
                  Source: s6R3Xjt79e.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.2116038724.0000000003093000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2116038724.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2116038724.000000000307E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2116747439.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2116038724.0000000003070000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2116038724.0000000003060000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: s6R3Xjt79e.exeVirustotal: Detection: 73%
                  Source: s6R3Xjt79e.exeReversingLabs: Detection: 65%
                  Source: unknownProcess created: C:\Users\user\Desktop\s6R3Xjt79e.exe "C:\Users\user\Desktop\s6R3Xjt79e.exe"
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\s6R3Xjt79e.exe"
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\s6R3Xjt79e.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: s6R3Xjt79e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: s6R3Xjt79e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: s6R3Xjt79e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: s6R3Xjt79e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: s6R3Xjt79e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: s6R3Xjt79e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: s6R3Xjt79e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: s6R3Xjt79e.exe, 00000000.00000003.887021758.0000000004080000.00000004.00001000.00020000.00000000.sdmp, s6R3Xjt79e.exe, 00000000.00000003.886666890.0000000004220000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: s6R3Xjt79e.exe, 00000000.00000003.887021758.0000000004080000.00000004.00001000.00020000.00000000.sdmp, s6R3Xjt79e.exe, 00000000.00000003.886666890.0000000004220000.00000004.00001000.00020000.00000000.sdmp
                  Source: s6R3Xjt79e.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: s6R3Xjt79e.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: s6R3Xjt79e.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: s6R3Xjt79e.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: s6R3Xjt79e.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001BC304 LoadLibraryA,GetProcAddress,0_2_001BC304
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0014C590 push eax; retn 0014h0_2_0014C599
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00168B85 push ecx; ret 0_2_00168B98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02D2B3A8 push eax; iretd 2_2_02D2B445
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00144A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00144A35
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001C55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_001C55FD
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001633C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001633C7
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeAPI/Special instruction interceptor: Address: 1633274
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99021
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeAPI coverage: 4.8 %
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_001A4696
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AC93C FindFirstFileW,FindClose,0_2_001AC93C
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_001AC9C7
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001AF200
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001AF35D
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001AF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001AF65E
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001A3A2B
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001A3D4E
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001ABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001ABF27
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00144AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00144AFE
                  Source: RegSvcs.exe, 00000002.00000002.2114726314.0000000001097000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeAPI call chain: ExitProcess graph end nodegraph_0-98141
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeAPI call chain: ExitProcess graph end nodegraph_0-98213
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001B41FD BlockInput,0_2_001B41FD
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00143B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00143B4C
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00175CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00175CCC
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001BC304 LoadLibraryA,GetProcAddress,0_2_001BC304
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_01633540 mov eax, dword ptr fs:[00000030h]0_2_01633540
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_016334E0 mov eax, dword ptr fs:[00000030h]0_2_016334E0
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_01631E70 mov eax, dword ptr fs:[00000030h]0_2_01631E70
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001981F7
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0016A364 SetUnhandledExceptionFilter,0_2_0016A364
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0016A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0016A395
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F21008Jump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00198C93 LogonUserW,0_2_00198C93
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00143B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00143B4C
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00144A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00144A35
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A4EC9 mouse_event,0_2_001A4EC9
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\s6R3Xjt79e.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001981F7
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001A4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_001A4C03
                  Source: s6R3Xjt79e.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: s6R3Xjt79e.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0016886B cpuid 0_2_0016886B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001750D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_001750D7
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00182230 GetUserNameW,0_2_00182230
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_0017418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0017418A
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_00144AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00144AFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: s6R3Xjt79e.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7120, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: s6R3Xjt79e.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7120, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: s6R3Xjt79e.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7120, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: s6R3Xjt79e.exeBinary or memory string: WIN_81
                  Source: s6R3Xjt79e.exeBinary or memory string: WIN_XP
                  Source: s6R3Xjt79e.exeBinary or memory string: WIN_XPe
                  Source: s6R3Xjt79e.exeBinary or memory string: WIN_VISTA
                  Source: s6R3Xjt79e.exeBinary or memory string: WIN_7
                  Source: s6R3Xjt79e.exeBinary or memory string: WIN_8
                  Source: s6R3Xjt79e.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2116038724.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: s6R3Xjt79e.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7120, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: s6R3Xjt79e.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7120, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: s6R3Xjt79e.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7120, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.s6R3Xjt79e.exe.3eb0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: s6R3Xjt79e.exe PID: 6944, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7120, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001B6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_001B6596
                  Source: C:\Users\user\Desktop\s6R3Xjt79e.exeCode function: 0_2_001B6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_001B6A5A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		12
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS127
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		2
                  Valid Accounts                  		LSA Secrets131
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                  Access Token Manipulation                  		Cached Domain Credentials2
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items212
                  Process Injection                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                  System Owner/User Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Network Configuration Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  s6R3Xjt79e.exe74%VirustotalBrowse
                  s6R3Xjt79e.exe66%ReversingLabsWin32.Exploit.MassLogger
                  s6R3Xjt79e.exe100%AviraTR/AD.ShellcodeCrypter.wibuk

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.64.1
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.247.73
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189lRegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://checkip.dyndns.comdRegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.org/qs6R3Xjt79e.exe, 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                  		high
                                  http://reallyfreegeoip.orgdRegSvcs.exe, 00000002.00000002.2116038724.000000000301D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://reallyfreegeoip.org/xml/8.46.123.189dRegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.2116038724.000000000301D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.orgdRegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2116038724.0000000002FEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.comRegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.org/dRegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.2116038724.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org/bot-/sendDocument?chat_id=s6R3Xjt79e.exe, 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://reallyfreegeoip.org/xml/s6R3Xjt79e.exe, 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2116038724.0000000003000000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        104.21.64.1
                                                        		reallyfreegeoip.orgUnited States
                                                        		13335CLOUDFLARENETUSfalse
                                                        132.226.247.73
                                                        		checkip.dyndns.comUnited States
                                                        		16989UTMEMUSfalse

                                                        General Information

                                                        Joe Sandbox version:42.0.0 Malachite
                                                        Analysis ID:1632368
                                                        Start date and time:2025-03-07 22:55:03 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 5m 27s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:12
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:s6R3Xjt79e.exe
                                                        renamed because original name is a hash value
                                                        Original Sample Name:1ba25e6d23cb600dfda66b881fce262fa4648a35503aefaefd4b7296c27f4de1.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@3/4@2/2
                                                        EGA Information:
                                                        • Successful, ratio: 50%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 65
                                                        • Number of non-executed functions: 262
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 23.60.203.209
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
                                                        • Execution Graph export aborted for target RegSvcs.exe, PID 7120 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        No simulations

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        104.21.64.1begin.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                        • www.kdrqcyusevx.info/z84n/
                                                        Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exeGet hashmaliciousLokibotBrowse
                                                        • touxzw.ir/fix/five/fre.php
                                                        Payment.exeGet hashmaliciousLokibotBrowse
                                                        • touxzw.ir/sccc/five/fre.php
                                                        7RryusxiMtHBz80.exeGet hashmaliciousLokibotBrowse
                                                        • touxzw.ir/sss2/five/fre.php
                                                        Request for quotation -6001845515-XLSX.exeGet hashmaliciousLokibotBrowse
                                                        • touxzw.ir/tking3/five/fre.php
                                                        vsf098633534.exeGet hashmaliciousLokibotBrowse
                                                        • touxzw.ir/sccc/five/fre.php
                                                        laser.ps1Get hashmaliciousFormBookBrowse
                                                        • www.lucynoel6465.shop/jgkl/
                                                        UPDATED SOA.pdf.exeGet hashmaliciousFormBookBrowse
                                                        • www.shlomi.app/t3l4/
                                                        QUOTE OF DRY DOCK REPAIR.exeGet hashmaliciousFormBookBrowse
                                                        • www.arryongro-nambe.live/ljgq/
                                                        QUOTATION NO REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                        • www.askvtwv8.top/2875/
                                                        132.226.247.73GuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        l9inNHJqHS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        tSftorqHTy.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        DayVXJx1km.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        cexqIzhyvM.exeGet hashmaliciousGuLoaderBrowse
                                                        • checkip.dyndns.org/
                                                        drRbNknjyb.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        pkNnK2ya0f.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        ZTEIhNCtP3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        uPDwUy9ewY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • checkip.dyndns.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        reallyfreegeoip.orgGuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.48.1
                                                        1258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                                        • 104.21.16.1
                                                        iFoDComHqT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.112.1
                                                        cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.16.1
                                                        axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        bvhauD4o49.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.32.1
                                                        0CBJ3aLKx0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.32.1
                                                        26YzPy68Rz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.80.1
                                                        AEo2XQmxqZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.112.1
                                                        checkip.dyndns.comGuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 132.226.247.73
                                                        hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 193.122.130.0
                                                        1258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                                        • 158.101.44.242
                                                        iFoDComHqT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 193.122.130.0
                                                        cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 132.226.8.169
                                                        axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 132.226.8.169
                                                        bvhauD4o49.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 158.101.44.242
                                                        0CBJ3aLKx0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 158.101.44.242
                                                        26YzPy68Rz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 158.101.44.242
                                                        AEo2XQmxqZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.8.169

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        UTMEMUSGuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 132.226.247.73
                                                        cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 132.226.8.169
                                                        axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 132.226.8.169
                                                        AEo2XQmxqZ.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.8.169
                                                        l9inNHJqHS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 132.226.247.73
                                                        CWu89IbJQw.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.8.169
                                                        tSftorqHTy.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.247.73
                                                        DayVXJx1km.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 132.226.247.73
                                                        NDCNDvC27F.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 132.226.8.169
                                                        cexqIzhyvM.exeGet hashmaliciousGuLoaderBrowse
                                                        • 132.226.247.73
                                                        CLOUDFLARENETUSGuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.48.1
                                                        ZWyrFp7WBM.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        xnlP06YunJ.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        jki-dragon-release-online-setup.exeGet hashmaliciousUnknownBrowse
                                                        • 104.17.118.104
                                                        1258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                                        • 104.21.16.1
                                                        kbdXtadZsM.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        NBdxPYAgZf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        iFoDComHqT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.112.1
                                                        yXsTZ347KJ.exeGet hashmaliciousUnknownBrowse
                                                        • 162.159.130.233

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        54328bd36c14bd82ddaa0c04b25ed9adGuuQOl5kJR.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        hUMdKouQ1H.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        2Jq4fZJIJ8.exeGet hashmaliciousGuLoaderBrowse
                                                        • 104.21.64.1
                                                        1258ad6Jpw.exeGet hashmaliciousGuLoaderBrowse
                                                        • 104.21.64.1
                                                        iFoDComHqT.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.64.1
                                                        cqWZtEH4eJ.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        axN56TZ3PI.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        bvhauD4o49.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        0CBJ3aLKx0.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.64.1
                                                        26YzPy68Rz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.64.1

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\autECBF.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\s6R3Xjt79e.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):16640
                                                        Entropy (8bit):7.497423871364306
                                                        Encrypted:false
                                                        SSDEEP:384:YrBdiwo23wc66qZ6A1omljJTJ+6yEU1uITl4ODxiKfbOA5JBJ:24r5u/mdPU1uy3NJ
                                                        MD5:256DAE64AA365CACE164E571945AA254
                                                        SHA1:EE031705A43A043E238EF5B9E60872A020A35019
                                                        SHA-256:79A00ED8FC3F29A2A84917A59E4E9CDB32B5937D486A53418832FA43B32B7377
                                                        SHA-512:34E21EAB97FDD338A1775ADC8B2A70220259CF7C4E808315E96DE338835606A86FD32989017EC4621D00F2EE4F4BE40665B1323D93569DE4184A2B6DB69ADD16
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:EA06..`&.N&....c2.....x.....+...n....(.V.`..4........#92.........M..>i....8.2..@...(.W.6......9........K|..o....B....V..o.d.i...h~3.!....9...@.?.{....6.....?..(...3.....?.......9....?..!.r.....|. 8O..j...M..?......6.8..`C.......}..P|...=....-....@i.........|.`...<!........y.........:......p.....X...Z....C.-......?.....[2....@<>{(...o4....C..p-...j........0-..Vj.....t~3.)O..l.i...B.?.[ n..8.....?.k n..!I..Y.u?.,........R..V@.O.B..j...~....U.8C......n...'..e....)?..(...!I..YF6?.Y.X'..6....l p....%[....p..,..L..b..Z....-..7..h..p.O.....h..p.O..r.....h|.qdO..*3.L...f.n....Y..A..h.......Y..7.t..&........HC.....?..g'..a.8.....x...a.8..C.?.k.....7......C....s._.8.B.?..!....!.N@.?...I'...9..B:?..!..&q...h?..-....i....?...`...3..........C........"......`.....0!..V.X!.L.b?...`...i..X..?.Y.....X!..X.h?.C.....i..........f...,.+..,.U....V1>.....d..bq..U...x...n?.k....G1...' M.4......@7..t.'....2...7.......... ......Z~.@.O...q....|.............s..o......X..`.....

                                                        C:\Users\user\AppData\Local\Temp\autEFAE.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\s6R3Xjt79e.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):69010
                                                        Entropy (8bit):7.912547763787364
                                                        Encrypted:false
                                                        SSDEEP:1536:7zloULFm04I5H/XbDVJ+wz3PNBwCGdEol2UIcY0YNLa49Jw:7Gslh+wz3TwNlgcYfJap
                                                        MD5:86140FB81AF70C8634494F23E66E71B0
                                                        SHA1:7C0BF5273A48CEA9F67E7F8D17A19E0F73F08BCF
                                                        SHA-256:03511A128D35359A4F3530DD5767CF21D6A82E37B41A39C88F9BA29933E76246
                                                        SHA-512:B7C189121FB2B3871E6AE931A71B3A615C153861AE735F7B33EF012986666A13E9CDF57A1CD70CD1FB0F01E90793B256988440D292AF4F223A4FF699536C63CA
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:EA06..n..D..Zu.aF.S.UNN.eG.PkSZm.eV....E..M..(..d.2.....S.....l.R......i.....;..-.i<.CB......bQ]..$s...e\.N..H\.+u.Jj.;E..^..(.;..U..*.?3(....5..Qj....G.U.u:..f3.J=>.t..<.P.b.G.].!.m".Q...H..Z.4.Q...>.P...*...6.....+....l(.H........?..L..<.......Vy.Z..7.=.6...v. .L&@.f.H......7.Q.l.j|..D..$.....6|.UJ}8.l.L@.>...-}..dry-V.J..rUY..`.6M...?..F..^.|Nm$....(.i..e;.Pk^...eU.6"..5O...Q............6._C..@..F.P..:-<..R..b..lE.......6'`.e..D..(...b...I..I`....6$........(.....A.O....R.s.S.Tk..k..Q.. .2m4.....,.W.]..gT.d.Mmu*..6..(....q.T..r.N.I..j}&w..L..J..AK.....R.`..i....O..t....k.Mi.y.Z.W.Fgu..6...Q......2..)u..&.,.^.....3....J..)8..6.....L...u.% .l....J.7..biS..(t..ZE'.Q....RmL.A.....}.J+..E*S...V.e.|.Q.T....5..fW..NU|..,4.u.O._.........h.*.....X....2....(.mR...6o...R.H.F).i.....U&.h. .....Uj.N....)..(.!R.Z(........f2...;B.Y..Kdf.V..Tz..|..E*.....S.F/.!..15...~...G._!.:..T..h.*,....Q&....1..fUMm..O.Q*....F..%VP..S..D(.I\..U.R..M..N..4ti.....Mh.{(..N.Dh

                                                        C:\Users\user\AppData\Local\Temp\croc

                                                        Download File
                                                        Process:C:\Users\user\Desktop\s6R3Xjt79e.exe
                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):286758
                                                        Entropy (8bit):2.7549624777802024
                                                        Encrypted:false
                                                        SSDEEP:24:4WXpOOOfOOOOOGOOOOOFOOOOOiOOOOOlOOOOO+OOOOOQOOOOOAwOOOOOYOOOOOeB:17
                                                        MD5:194FF7A37D95B888E9DA719074591498
                                                        SHA1:304C4E7629DBBDC7F63A9B5BA135E98F8D0E519B
                                                        SHA-256:B1DE99D2D72F741D062A0891DCCDDFD38E38227B1334BA3766D9EC9D85124434
                                                        SHA-512:6AC8EF4F806DD1FCF8141E01F91A01925ABF6A7D1C036379D1A544901AC8F455CA60D52DAB5732221B40BBD24FA86DEE07318AB54DCA54DADE11D29BB91629DC
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:6851051210685105121x685105121568510512156851051218685105121b685105121e685105121c68510512186851051211685105121e685105121c685105121c685105121c6851051210685105121268510512106851051210685105121068510512106851051215685105121668510512156851051217685105121b68510512186851051216685105121b68510512106851051210685105121068510512106851051210685105121068510512166851051216685105121868510512196851051214685105121568510512186851051214685105121b68510512196851051216685105121568510512106851051210685105121068510512106851051210685105121068510512166851051216685105121868510512196851051214685105121d68510512186851051216685105121b685105121a6851051217685105121268510512106851051210685105121068510512106851051210685105121068510512166851051216685105121868510512196851051215685105121568510512186851051218685105121b68510512186851051216685105121e6851051210685105121068510512106851051210685105121068510512106851051216685105121668510512186851051219685105121468510512156851051218685105121a685105121b685105121968510512166851051215

                                                        C:\Users\user\AppData\Local\Temp\undiscernibly

                                                        Download File
                                                        Process:C:\Users\user\Desktop\s6R3Xjt79e.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):93696
                                                        Entropy (8bit):6.82251210202557
                                                        Encrypted:false
                                                        SSDEEP:1536:tGqRPR9Cur15siadaXEehXNN+cYOnaIPY3j+eWzx/2VwaT/jyrOlkHFqXR:IKJzrDsp0EMXNEdOnaR3VwavXR
                                                        MD5:69EA161781BDE4AFB17D5EF362FAA922
                                                        SHA1:D910B9934A6B1B5CA974205B0201C14D4F30D41C
                                                        SHA-256:7EB961D2E6263C8C3C7FE8B75F7889D9DA1631C6BC06D8E7B5FA1833E846D293
                                                        SHA-512:8AA937D672457D15F9662E03141F487AA6D814188F48FA9DF450CD44B166B5FBD99D474364DE8B5A6D3683447E8BB78CB84FAC16F70BD1A6278FC0C054487636
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:...UNF0FBORT.2G.AZ5MG2V.STOHFUMF0FFORT6F2GTAZ5MG2VSSTOHFUMF.FFO\K.H2.].{.L..w.;=<h6'"!B'+o15X(]3t#?.?2\v:=t...u )T#hB_^.F2GTAZ5..2V.RWO.(..F0FFORT6.2EUJ[eMGVWSS\OHFUMF..GORt6F2.UAZ5.G2vSSTMHFQMF0FFORR6F2GTAZ5.F2VQSTOHFUOFP.FOBT6V2GTAJ5MW2VSSTOXFUMF0FFORT6..FT.Z5MG.WS.QOHFUMF0FFORT6F2GTAZ.LG>VSSTOHFUMF0FFORT6F2GTAZ5MG2VSSTOHFUMF0FFORT6F2GTAZ5Mg2V[STOHFUMF0FFGrT6.2GTAZ5MG2VS} *02UMF.$GORt6F2#UAZ7MG2VSSTOHFUMF0fFO2zD5@$TAZ.HG2V.RTONFUM 1FFORT6F2GTAZ5.G2.}!1#'%UMJ0FFO.U6F0GTA64MG2VSSTOHFUMFpFF.RT6F2GTAZ5MG2VSS..IFUMF0.FORV6C2;.AZ..G2USST.HFS..0F.ORT6F2GTAZ5MG2VSSTOHFUMF0FFORT6F2GTAZ5MG2VS.).G../C.ORT6F2FVB^3EO2VSSTOHF+MF0.FOR.6F2pTAZ.MG2;SSTkHFU3F0F8ORTRF2G&AZ5,G2V.STO'FUM(0FF1RT6X0oKAZ?ga2T{sTOBF..5.FFE.U6F64vAZ?.E2VW wOHL.NF0B5kRT<.6GTE).MG8.VSTKb.UN.&@FOI;.F2MTB. KG2MyuTM`.UML0l`OQ.#@2GOkx5O.;VSW~.;[UM@..FOX ?F2E.KZ5Im,T{.TOBlw3U0FBdR~.8&GTEq5geLCSSPdHlw3P0FBdR~.8%GTEq5gA.4S!.CH6V"'0F@g.T6L..TA\5g}2(]STKJ).MF:`luR|fF2ATi.5MA2|.S*|HFQaANuFOV. 8.GTE.35G2P .TOBc.~F0Bn.RT<F..Ti.5MA2~.STI

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):6.804600627753854
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:s6R3Xjt79e.exe
                                                        File size:940'032 bytes
                                                        MD5:a9bb0e77948d245a6ef7570484817029
                                                        SHA1:d9e5a600ac3d8f44c6449a83ea659f09ee010bad
                                                        SHA256:1ba25e6d23cb600dfda66b881fce262fa4648a35503aefaefd4b7296c27f4de1
                                                        SHA512:b960d51d91fe79f7ed10733b3fdc73e52cf7e96362d3c4470bf9739f897370f324745cee8ccd18bd6e7818a584851dcecfca378f4efbc8dfa805f3de2d35fba0
                                                        SSDEEP:24576:oAHnh+eWsN3skA4RV1Hom2KXFmIabAqAKqPd5:vh+ZkldoPK1XabAqT2
                                                        TLSH:CC158C0273D1D036FFAB92739BAAB20156BE7D250123852F22983E79BD741B1163D763
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                        File Icon

                                                        Icon Hash:74ecc9ccd4d4c460

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x42800a
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x67A9B248 [Mon Feb 10 08:01:12 2025 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:1
                                                        File Version Major:5
                                                        File Version Minor:1
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:1
                                                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                        Entrypoint Preview

                                                        Instruction
                                                        call 00007F1864C46E0Dh
                                                        jmp 00007F1864C39BC4h
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        push edi
                                                        push esi
                                                        mov esi, dword ptr [esp+10h]
                                                        mov ecx, dword ptr [esp+14h]
                                                        mov edi, dword ptr [esp+0Ch]
                                                        mov eax, ecx
                                                        mov edx, ecx
                                                        add eax, esi
                                                        cmp edi, esi
                                                        jbe 00007F1864C39D4Ah
                                                        cmp edi, eax
                                                        jc 00007F1864C3A0AEh
                                                        bt dword ptr [004C41FCh], 01h
                                                        jnc 00007F1864C39D49h
                                                        rep movsb
                                                        jmp 00007F1864C3A05Ch
                                                        cmp ecx, 00000080h
                                                        jc 00007F1864C39F14h
                                                        mov eax, edi
                                                        xor eax, esi
                                                        test eax, 0000000Fh
                                                        jne 00007F1864C39D50h
                                                        bt dword ptr [004BF324h], 01h
                                                        jc 00007F1864C3A220h
                                                        bt dword ptr [004C41FCh], 00000000h
                                                        jnc 00007F1864C39EEDh
                                                        test edi, 00000003h
                                                        jne 00007F1864C39EFEh
                                                        test esi, 00000003h
                                                        jne 00007F1864C39EDDh
                                                        bt edi, 02h
                                                        jnc 00007F1864C39D4Fh
                                                        mov eax, dword ptr [esi]
                                                        sub ecx, 04h
                                                        lea esi, dword ptr [esi+04h]
                                                        mov dword ptr [edi], eax
                                                        lea edi, dword ptr [edi+04h]
                                                        bt edi, 03h
                                                        jnc 00007F1864C39D53h
                                                        movq xmm1, qword ptr [esi]
                                                        sub ecx, 08h
                                                        lea esi, dword ptr [esi+08h]
                                                        movq qword ptr [edi], xmm1
                                                        lea edi, dword ptr [edi+08h]
                                                        test esi, 00000007h
                                                        je 00007F1864C39DA5h
                                                        bt esi, 03h

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ASM] VS2013 build 21005
                                                        • [ C ] VS2013 build 21005
                                                        • [C++] VS2013 build 21005
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729
                                                        • [ASM] VS2013 UPD5 build 40629
                                                        • [RES] VS2013 build 21005
                                                        • [LNK] VS2013 UPD5 build 40629

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x1b054.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000x7134.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x8f0000x2fd8e0x2fe00f006ab74d3c653b5c5a6cc0c77a171a2False0.32829838446475196data5.7632462979925245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0xc80000x1b0540x1b20083b18427e2ddec85f223f44cc857f431False0.8440650201612904data7.6955307470706735IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xe40000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xc84580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                        RT_ICON0xc85800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                        RT_ICON0xc86a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                        RT_ICON0xc87d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.08609958506224066
                                                        RT_MENU0xcad780x50dataEnglishGreat Britain0.9
                                                        RT_STRING0xcadc80x594dataEnglishGreat Britain0.3333333333333333
                                                        RT_STRING0xcb35c0x68adataEnglishGreat Britain0.2747909199522103
                                                        RT_STRING0xcb9e80x490dataEnglishGreat Britain0.3715753424657534
                                                        RT_STRING0xcbe780x5fcdataEnglishGreat Britain0.3087467362924282
                                                        RT_STRING0xcc4740x65cdataEnglishGreat Britain0.34336609336609336
                                                        RT_STRING0xccad00x466dataEnglishGreat Britain0.3605683836589698
                                                        RT_STRING0xccf380x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                        RT_RCDATA0xcd0900x15aa6data1.0004056703702868
                                                        RT_GROUP_ICON0xe2b380x14dataEnglishGreat Britain1.25
                                                        RT_GROUP_ICON0xe2b4c0x14dataEnglishGreat Britain1.25
                                                        RT_GROUP_ICON0xe2b600x14dataEnglishGreat Britain1.15
                                                        RT_GROUP_ICON0xe2b740x14dataEnglishGreat Britain1.25
                                                        RT_VERSION0xe2b880xdcdataEnglishGreat Britain0.6181818181818182
                                                        RT_MANIFEST0xe2c640x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                        Imports

                                                        DLLImport
                                                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                        PSAPI.DLLGetProcessMemoryInfo
                                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                        UxTheme.dllIsThemeActive
                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0809 0x04b0

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishGreat Britain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2025-03-07T22:56:02.051142+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849682132.226.247.7380TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 7, 2025 22:56:00.049355030 CET4968280192.168.2.8132.226.247.73
                                                        Mar 7, 2025 22:56:00.054418087 CET8049682132.226.247.73192.168.2.8
                                                        Mar 7, 2025 22:56:00.054601908 CET4968280192.168.2.8132.226.247.73
                                                        Mar 7, 2025 22:56:00.055429935 CET4968280192.168.2.8132.226.247.73
                                                        Mar 7, 2025 22:56:00.060435057 CET8049682132.226.247.73192.168.2.8
                                                        Mar 7, 2025 22:56:00.777055979 CET8049682132.226.247.73192.168.2.8
                                                        Mar 7, 2025 22:56:00.793521881 CET4968280192.168.2.8132.226.247.73
                                                        Mar 7, 2025 22:56:00.798636913 CET8049682132.226.247.73192.168.2.8
                                                        Mar 7, 2025 22:56:02.003674030 CET8049682132.226.247.73192.168.2.8
                                                        Mar 7, 2025 22:56:02.016792059 CET49683443192.168.2.8104.21.64.1
                                                        Mar 7, 2025 22:56:02.016838074 CET44349683104.21.64.1192.168.2.8
                                                        Mar 7, 2025 22:56:02.016917944 CET49683443192.168.2.8104.21.64.1
                                                        Mar 7, 2025 22:56:02.028883934 CET49683443192.168.2.8104.21.64.1
                                                        Mar 7, 2025 22:56:02.028920889 CET44349683104.21.64.1192.168.2.8
                                                        Mar 7, 2025 22:56:02.051141977 CET4968280192.168.2.8132.226.247.73
                                                        Mar 7, 2025 22:56:03.920883894 CET44349683104.21.64.1192.168.2.8
                                                        Mar 7, 2025 22:56:03.921103954 CET49683443192.168.2.8104.21.64.1
                                                        Mar 7, 2025 22:56:03.925854921 CET49683443192.168.2.8104.21.64.1
                                                        Mar 7, 2025 22:56:03.925867081 CET44349683104.21.64.1192.168.2.8
                                                        Mar 7, 2025 22:56:03.926153898 CET44349683104.21.64.1192.168.2.8
                                                        Mar 7, 2025 22:56:03.972812891 CET49683443192.168.2.8104.21.64.1
                                                        Mar 7, 2025 22:56:03.980907917 CET49683443192.168.2.8104.21.64.1
                                                        Mar 7, 2025 22:56:04.024332047 CET44349683104.21.64.1192.168.2.8
                                                        Mar 7, 2025 22:56:04.417682886 CET44349683104.21.64.1192.168.2.8
                                                        Mar 7, 2025 22:56:04.417754889 CET44349683104.21.64.1192.168.2.8
                                                        Mar 7, 2025 22:56:04.417872906 CET49683443192.168.2.8104.21.64.1
                                                        Mar 7, 2025 22:56:04.425240993 CET49683443192.168.2.8104.21.64.1
                                                        Mar 7, 2025 22:57:07.003611088 CET8049682132.226.247.73192.168.2.8
                                                        Mar 7, 2025 22:57:07.003886938 CET4968280192.168.2.8132.226.247.73
                                                        Mar 7, 2025 22:57:42.004688025 CET4968280192.168.2.8132.226.247.73
                                                        Mar 7, 2025 22:57:42.010035992 CET8049682132.226.247.73192.168.2.8

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 7, 2025 22:56:00.029948950 CET5863353192.168.2.81.1.1.1
                                                        Mar 7, 2025 22:56:00.037410021 CET53586331.1.1.1192.168.2.8
                                                        Mar 7, 2025 22:56:02.005563974 CET6346853192.168.2.81.1.1.1
                                                        Mar 7, 2025 22:56:02.015764952 CET53634681.1.1.1192.168.2.8

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Mar 7, 2025 22:56:00.029948950 CET192.168.2.81.1.1.10x5141Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:02.005563974 CET192.168.2.81.1.1.10xa00fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Mar 7, 2025 22:56:00.037410021 CET1.1.1.1192.168.2.80x5141No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                        Mar 7, 2025 22:56:00.037410021 CET1.1.1.1192.168.2.80x5141No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:00.037410021 CET1.1.1.1192.168.2.80x5141No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:00.037410021 CET1.1.1.1192.168.2.80x5141No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:00.037410021 CET1.1.1.1192.168.2.80x5141No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:00.037410021 CET1.1.1.1192.168.2.80x5141No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:02.015764952 CET1.1.1.1192.168.2.80xa00fNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:02.015764952 CET1.1.1.1192.168.2.80xa00fNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:02.015764952 CET1.1.1.1192.168.2.80xa00fNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:02.015764952 CET1.1.1.1192.168.2.80xa00fNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:02.015764952 CET1.1.1.1192.168.2.80xa00fNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:02.015764952 CET1.1.1.1192.168.2.80xa00fNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                        Mar 7, 2025 22:56:02.015764952 CET1.1.1.1192.168.2.80xa00fNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • reallyfreegeoip.org
                                                        • checkip.dyndns.org

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.849682132.226.247.73807120C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        TimestampBytes transferredDirectionData
                                                        Mar 7, 2025 22:56:00.055429935 CET151OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Connection: Keep-Alive
                                                        Mar 7, 2025 22:56:00.777055979 CET273INHTTP/1.1 200 OK
                                                        Date: Fri, 07 Mar 2025 21:56:00 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 104
                                                        Connection: keep-alive
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                        Mar 7, 2025 22:56:00.793521881 CET127OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Mar 7, 2025 22:56:02.003674030 CET273INHTTP/1.1 200 OK
                                                        Date: Fri, 07 Mar 2025 21:56:01 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 104
                                                        Connection: keep-alive
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.849683104.21.64.14437120C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-03-07 21:56:03 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                        Host: reallyfreegeoip.org
                                                        Connection: Keep-Alive
                                                        2025-03-07 21:56:04 UTC854INHTTP/1.1 200 OK
                                                        Date: Fri, 07 Mar 2025 21:56:04 GMT
                                                        Content-Type: text/xml
                                                        Content-Length: 362
                                                        Connection: close
                                                        Age: 47796
                                                        Cache-Control: max-age=31536000
                                                        cf-cache-status: HIT
                                                        last-modified: Fri, 07 Mar 2025 08:39:27 GMT
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r5n2mXD6r2mqllegy6XND5kP89SihLQLwAr4YaN6GeNrFN%2F9hgc4E1V%2BkbUAxcOFCvc8lTBv8WJcZ0ccdmj2OxEpboAon3VtXS%2FgpCo06IIwP1xk4ZFtWX3wex07NaRtuBISFEn8"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 91cd57362d2632dc-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=18278&min_rtt=9788&rtt_var=17468&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4250&recv_bytes=699&delivery_rate=62912&cwnd=239&unsent_bytes=0&cid=37d51e61bd97dd27&ts=629&x=0"
                                                        2025-03-07 21:56:04 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:16:55:56
                                                        Start date:07/03/2025
                                                        Path:C:\Users\user\Desktop\s6R3Xjt79e.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\s6R3Xjt79e.exe"
                                                        Imagebase:0x140000
                                                        File size:940'032 bytes
                                                        MD5 hash:A9BB0E77948D245A6EF7570484817029
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.896849489.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:16:55:57
                                                        Start date:07/03/2025
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\s6R3Xjt79e.exe"
                                                        Imagebase:0xc40000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2114448921.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2116038724.00000000030D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >