Edit tour

Windows Analysis Report
Yeni Sat#U0131nalma Sipari#U015fi.exe

Overview

General Information

Sample name:	Yeni Sat#U0131nalma Sipari#U015fi.exe renamed because original name is a hash value
Original sample name:	Yeni Satnalma Siparii.exe
Analysis ID:	1636424
MD5:	1d6fbccfa75078f519145c919bf1f9c4
SHA1:	8655f9ff87b27957a1b27fc527a2c1bb1ef753f4
SHA256:	b74744471b823e007f6ba0d453869112b604edd2d3aa93ad5cb955858af54c35
Tags:	exegeoMassLoggerTURuser-abuse_ch
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Yeni Sat#U0131nalma Sipari#U015fi.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe" MD5: 1D6FBCCFA75078F519145C919BF1F9C4)

Zworykin.exe (PID: 6304 cmdline: "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe" MD5: 1D6FBCCFA75078F519145C919BF1F9C4)

RegSvcs.exe (PID: 6392 cmdline: "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 2932 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Zworykin.exe (PID: 5684 cmdline: "C:\Users\user\AppData\Local\oxman\Zworykin.exe" MD5: 1D6FBCCFA75078F519145C919BF1F9C4)

RegSvcs.exe (PID: 2764 cmdline: "C:\Users\user\AppData\Local\oxman\Zworykin.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "darksender@mcnzxz.com", "Password": "Nigeria@2025", "Server": "cphost14.qhoster.net"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14197:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13695:$a3: \Google\Chrome\User Data\Default\Login Data 0x139a3:$a4: \Orbitum\User Data\Default\Login Data 0x1479b:$a5: \Kometa\User Data\Default\Login Data
00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14197:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13695:$a3: \Google\Chrome\User Data\Default\Login Data 0x139a3:$a4: \Orbitum\User Data\Default\Login Data 0x1479b:$a5: \Kometa\User Data\Default\Login Data
00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefdf:$a1: get_encryptedPassword 0xf307:$a2: get_encryptedUsername 0xed7a:$a3: get_timePasswordChanged 0xee9b:$a4: get_passwordField 0xeff5:$a5: set_encryptedPassword 0x10951:$a7: get_logins 0x10602:$a8: GetOutlookPasswords 0x103f4:$a9: StartKeylogger 0x108a1:$a10: KeyLoggerEventArgs 0x10451:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.2739762525.00000000031C6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2739614789.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Zworykin.exe PID: 6304	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Zworykin.exe PID: 6304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Zworykin.exe PID: 6304	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: Zworykin.exe PID: 6304	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Zworykin.exe PID: 6304	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x65039:$a1: get_encryptedPassword 0x65352:$a2: get_encryptedUsername 0x64de8:$a3: get_timePasswordChanged 0x64f09:$a4: get_passwordField 0x6504f:$a5: set_encryptedPassword 0x66952:$a7: get_logins 0x66603:$a8: GetOutlookPasswords 0x663f5:$a9: StartKeylogger 0x668a2:$a10: KeyLoggerEventArgs 0x66452:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6392	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6392	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegSvcs.exe PID: 6392	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6392	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x16cf4:$a1: get_encryptedPassword 0x1700d:$a2: get_encryptedUsername 0x16aa3:$a3: get_timePasswordChanged 0x16bc4:$a4: get_passwordField 0x16d0a:$a5: set_encryptedPassword 0x1860d:$a7: get_logins 0x182be:$a8: GetOutlookPasswords 0x180b0:$a9: StartKeylogger 0x1855d:$a10: KeyLoggerEventArgs 0x1810d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Zworykin.exe PID: 5684	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Zworykin.exe PID: 5684	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Zworykin.exe PID: 5684	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: Zworykin.exe PID: 5684	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Zworykin.exe PID: 5684	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x149e8b:$a1: get_encryptedPassword 0x14a1a4:$a2: get_encryptedUsername 0x149c3a:$a3: get_timePasswordChanged 0x149d5b:$a4: get_passwordField 0x149ea1:$a5: set_encryptedPassword 0x14b7a4:$a7: get_logins 0x14b455:$a8: GetOutlookPasswords 0x14b247:$a9: StartKeylogger 0x14b6f4:$a10: KeyLoggerEventArgs 0x14b2a4:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 2764	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.Zworykin.exe.3cb0000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.Zworykin.exe.3cb0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.Zworykin.exe.3cb0000.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.Zworykin.exe.3cb0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.Zworykin.exe.3cb0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
5.2.Zworykin.exe.3cb0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12397:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11895:$a3: \Google\Chrome\User Data\Default\Login Data 0x11ba3:$a4: \Orbitum\User Data\Default\Login Data 0x1299b:$a5: \Kometa\User Data\Default\Login Data
5.2.Zworykin.exe.3cb0000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.Zworykin.exe.3cb0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.Zworykin.exe.3cb0000.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
5.2.Zworykin.exe.3cb0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.Zworykin.exe.3cb0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
5.2.Zworykin.exe.3cb0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14197:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13695:$a3: \Google\Chrome\User Data\Default\Login Data 0x139a3:$a4: \Orbitum\User Data\Default\Login Data 0x1479b:$a5: \Kometa\User Data\Default\Login Data
2.2.Zworykin.exe.1c00000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.Zworykin.exe.1c00000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.Zworykin.exe.1c00000.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
2.2.Zworykin.exe.1c00000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.Zworykin.exe.1c00000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
2.2.Zworykin.exe.1c00000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14197:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13695:$a3: \Google\Chrome\User Data\Default\Login Data 0x139a3:$a4: \Orbitum\User Data\Default\Login Data 0x1479b:$a5: \Kometa\User Data\Default\Login Data
2.2.Zworykin.exe.1c00000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.Zworykin.exe.1c00000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.Zworykin.exe.1c00000.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
2.2.Zworykin.exe.1c00000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.Zworykin.exe.1c00000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
2.2.Zworykin.exe.1c00000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12397:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11895:$a3: \Google\Chrome\User Data\Default\Login Data 0x11ba3:$a4: \Orbitum\User Data\Default\Login Data 0x1299b:$a5: \Kometa\User Data\Default\Login Data
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs" , ProcessId: 2932, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 496, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs" , ProcessId: 2932, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\oxman\Zworykin.exe, ProcessId: 6304, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-12T19:14:51.873284+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49689	193.122.6.168	80	TCP
2025-03-12T19:15:25.888909+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49695	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe

Avira: detection malicious, Label: TR/AD.SnakeStealer.bbyez

Found malware configuration

Source: 00000003.00000002.2739762525.0000000003071000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "darksender@mcnzxz.com", "Password": "Nigeria@2025", "Server": "cphost14.qhoster.net"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Virustotal: Detection: 43%			Perma Link

Multi AV Scanner detection for submitted file

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Virustotal: Detection: 43%			Perma Link
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49690 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49696 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: Zworykin.exe, 00000002.00000003.1512681654.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000002.00000003.1512552164.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000005.00000003.1626700424.0000000004170000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000005.00000003.1626826692.0000000004310000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Zworykin.exe, 00000002.00000003.1512681654.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000002.00000003.1512552164.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000005.00000003.1626700424.0000000004170000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000005.00000003.1626826692.0000000004310000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F1445A
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1C6D1 FindFirstFileW,FindClose,	0_2_00F1C6D1
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F1C75C
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F1EF95
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F1F0F2
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F1F3F3
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F137EF
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F13B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F13B12
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F1BCBC
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005E445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_005E445A
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EC6D1 FindFirstFileW,FindClose,	2_2_005EC6D1
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_005EC75C
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_005EEF95
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_005EF0F2
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_005EF3F3
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_005E37EF
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_005E3B12
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_005EBCBC

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01585782h	3_2_01585358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 015851B9h	3_2_01584F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01585782h	3_2_015856AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02D355C9h	6_2_02D35318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02D35CF2h	6_2_02D358C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02D35CF2h	6_2_02D35C1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 069331F0h	6_2_06932F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06931935h	6_2_069315F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693FD30h	6_2_0693FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693D93Ah	6_2_0693D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693A970h	6_2_0693A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693F8D8h	6_2_0693F630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06933AA0h	6_2_069337F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693B220h	6_2_0693AF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06930741h	6_2_06930498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693BF28h	6_2_0693BC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693A0C0h	6_2_06939CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693E778h	6_2_0693E4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693DEC8h	6_2_0693DC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06933EF8h	6_2_06933C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693F028h	6_2_0693ED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693D088h	6_2_0693CDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693C7D8h	6_2_0693C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06930FF1h	6_2_06930D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06932D98h	6_2_06932AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693D4E0h	6_2_0693D238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693A518h	6_2_0693A270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06933648h	6_2_069333A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693B678h	6_2_0693B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693ADC8h	6_2_0693AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06934350h	6_2_069340A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693C380h	6_2_0693C0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06930B99h	6_2_069308F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693BAD0h	6_2_0693B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 069302E9h	6_2_06930040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693E320h	6_2_0693E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693CC30h	6_2_0693C988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 06931449h	6_2_069311A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693F480h	6_2_0693F1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 0693EBD0h	6_2_0693E928

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49695 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49689 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49690 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.6:49696 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F222EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00F222EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000003.00000002.2739762525.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.2739762525.00000000030C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2739762525.0000000003071000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Zworykin.exe, 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Zworykin.exe, 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000003.00000002.2739762525.000000000310D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.2739762525.000000000310D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000003.00000002.2739762525.00000000030C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Zworykin.exe, 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Zworykin.exe, 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Zworykin.exe, 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, Zworykin.exe, 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F24164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F24164

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F24164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00F24164
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_005F4164

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F23F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F23F66

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F1001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00F1001C

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F3CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00F3CABC
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_0060CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0060CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.Zworykin.exe.3cb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.Zworykin.exe.3cb0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.Zworykin.exe.1c00000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.Zworykin.exe.1c00000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Zworykin.exe PID: 6304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6392, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Zworykin.exe PID: 5684, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00EB3B3A
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000000.00000002.1498941630.0000000000F64000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_05b37f0e-5
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000000.00000002.1498941630.0000000000F64000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_bac7c23c-b
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000000.00000003.1496620731.0000000004183000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9fc880c6-2
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, 00000000.00000003.1496620731.0000000004183000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e6d1b4d5-8
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00583B3A
Source: Zworykin.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Zworykin.exe, 00000002.00000002.1515310487.0000000000634000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b396b5f2-1
Source: Zworykin.exe, 00000002.00000002.1515310487.0000000000634000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3c3fb5ab-9
Source: Zworykin.exe, 00000005.00000002.1629223076.0000000000634000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c3183c23-0
Source: Zworykin.exe, 00000005.00000002.1629223076.0000000000634000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_0c31dac4-0
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8a8f1568-0
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_d45aa9a9-4
Source: Zworykin.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b29f1c4e-0
Source: Zworykin.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_996b4412-b

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F1A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00F1A1EF

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F08310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F08310

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00F151BD
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_005E51BD

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EDD975	0_2_00EDD975
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00ED21C5	0_2_00ED21C5
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EE62D2	0_2_00EE62D2
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F303DA	0_2_00F303DA
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EE242E	0_2_00EE242E
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00ED25FA	0_2_00ED25FA
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EC66E1	0_2_00EC66E1
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EBE6A0	0_2_00EBE6A0
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F0E616	0_2_00F0E616
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EE878F	0_2_00EE878F
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F18889	0_2_00F18889
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F30857	0_2_00F30857
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EE6844	0_2_00EE6844
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EC8808	0_2_00EC8808
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EDCB21	0_2_00EDCB21
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EE6DB6	0_2_00EE6DB6
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EC6F9E	0_2_00EC6F9E
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EC3030	0_2_00EC3030
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EDF1D9	0_2_00EDF1D9
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00ED3187	0_2_00ED3187
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EB1287	0_2_00EB1287
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00ED1484	0_2_00ED1484
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EC5520	0_2_00EC5520
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00ED7696	0_2_00ED7696
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EC5760	0_2_00EC5760
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00ED1978	0_2_00ED1978
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EE9AB5	0_2_00EE9AB5
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EBFCE0	0_2_00EBFCE0
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F37DDB	0_2_00F37DDB
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EDBDA6	0_2_00EDBDA6
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00ED1D90	0_2_00ED1D90
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EC3FE0	0_2_00EC3FE0
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EBDF00	0_2_00EBDF00
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_01855118	0_2_01855118
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005AD975	2_2_005AD975
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005A21C5	2_2_005A21C5
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005B62D2	2_2_005B62D2
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_006003DA	2_2_006003DA
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005B242E	2_2_005B242E
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005A25FA	2_2_005A25FA
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005DE616	2_2_005DE616
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005966E1	2_2_005966E1
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_0058E6A0	2_2_0058E6A0
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005B878F	2_2_005B878F
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005B6844	2_2_005B6844
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00600857	2_2_00600857
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00598808	2_2_00598808
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005E8889	2_2_005E8889
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005ACB21	2_2_005ACB21
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005B6DB6	2_2_005B6DB6
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00596F9E	2_2_00596F9E
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00593030	2_2_00593030
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005AF1D9	2_2_005AF1D9
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005A3187	2_2_005A3187
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00581287	2_2_00581287
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005A1484	2_2_005A1484
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00595520	2_2_00595520
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005A7696	2_2_005A7696
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00595760	2_2_00595760
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005A1978	2_2_005A1978
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005B9AB5	2_2_005B9AB5
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_0058FCE0	2_2_0058FCE0
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00607DDB	2_2_00607DDB
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005A1D90	2_2_005A1D90
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005ABDA6	2_2_005ABDA6
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_0058DF00	2_2_0058DF00
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00593FE0	2_2_00593FE0
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00F86458	2_2_00F86458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0158C168	3_2_0158C168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0158A7F2	3_2_0158A7F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_015819B8	3_2_015819B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0158CAB0	3_2_0158CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01582DD1	3_2_01582DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01584F08	3_2_01584F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01587E68	3_2_01587E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0158B9DC	3_2_0158B9DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0158B9E0	3_2_0158B9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0158CAAE	3_2_0158CAAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01587E66	3_2_01587E66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01584EF8	3_2_01584EF8
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 5_2_018B74F0	5_2_018B74F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02D3C2C8	6_2_02D3C2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02D35318	6_2_02D35318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02D327B9	6_2_02D327B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02D3CBB8	6_2_02D3CBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02D37FC8	6_2_02D37FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02D35309	6_2_02D35309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02D3BB40	6_2_02D3BB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02D37FB8	6_2_02D37FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_02D32DD1	6_2_02D32DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06937780	6_2_06937780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06932F48	6_2_06932F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06931C58	6_2_06931C58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_069315F8	6_2_069315F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06934500	6_2_06934500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693FA88	6_2_0693FA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06936A20	6_2_06936A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693D690	6_2_0693D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693D682	6_2_0693D682
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693A6B9	6_2_0693A6B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693A6C8	6_2_0693A6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693F630	6_2_0693F630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693F620	6_2_0693F620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_069337F8	6_2_069337F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_069337E8	6_2_069337E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693AF78	6_2_0693AF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693AF68	6_2_0693AF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06930498	6_2_06930498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693BC80	6_2_0693BC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06930488	6_2_06930488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06939CA0	6_2_06939CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693E4D0	6_2_0693E4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693E4C0	6_2_0693E4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693DC12	6_2_0693DC12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693DC20	6_2_0693DC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06933C50	6_2_06933C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06933C41	6_2_06933C41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06931C48	6_2_06931C48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693BC71	6_2_0693BC71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693ED80	6_2_0693ED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693CDDA	6_2_0693CDDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693CDE0	6_2_0693CDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_069315EA	6_2_069315EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693C530	6_2_0693C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06930D38	6_2_06930D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693C52A	6_2_0693C52A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06930D48	6_2_06930D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693ED70	6_2_0693ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06932AF0	6_2_06932AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06932AE0	6_2_06932AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693D238	6_2_0693D238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693A270	6_2_0693A270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693FA78	6_2_0693FA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693A261	6_2_0693A261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06933392	6_2_06933392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_069333A0	6_2_069333A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693B3D0	6_2_0693B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693B3C1	6_2_0693B3C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693AB10	6_2_0693AB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693AB20	6_2_0693AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06934098	6_2_06934098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_069340A8	6_2_069340A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693C0D8	6_2_0693C0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693C0CA	6_2_0693C0CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_069308F0	6_2_069308F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_069308E0	6_2_069308E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693B818	6_2_0693B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693001E	6_2_0693001E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693B828	6_2_0693B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06930040	6_2_06930040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693E078	6_2_0693E078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693E068	6_2_0693E068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693C988	6_2_0693C988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693118F	6_2_0693118F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_069311A0	6_2_069311A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693F1D8	6_2_0693F1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693F1C8	6_2_0693F1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693E922	6_2_0693E922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693E928	6_2_0693E928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0693C97A	6_2_0693C97A

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: String function: 00ED8900 appears 42 times
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: String function: 00ED0AE3 appears 70 times
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: String function: 00EB7DE1 appears 35 times
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: String function: 00587DE1 appears 35 times
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: String function: 005A0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: String function: 005A8900 appears 42 times

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 5.2.Zworykin.exe.3cb0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.Zworykin.exe.3cb0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Zworykin.exe.1c00000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.Zworykin.exe.1c00000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Zworykin.exe PID: 6304, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6392, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Zworykin.exe PID: 5684, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F1A06A GetLastError,FormatMessageW,

0_2_00F1A06A

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F081CB AdjustTokenPrivileges,CloseHandle,	0_2_00F081CB
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00F087E1
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005D81CB AdjustTokenPrivileges,CloseHandle,	2_2_005D81CB
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_005D87E1

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F1B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F1B3FB

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F2EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F2EE0D

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F283BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00F283BB

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EB4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00EB4E89

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

File created: C:\Users\user\AppData\Local\oxman

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

File created: C:\Users\user\AppData\Local\Temp\aut1BCA.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs"

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.2739762525.0000000003150000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2739762525.000000000316E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2739762525.0000000003183000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2739762525.000000000318F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2739762525.0000000003160000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F65000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2740695249.0000000003E9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F56000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Virustotal: Detection: 43%
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

File read: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe"
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Users\user\AppData\Local\oxman\Zworykin.exe "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe"
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\oxman\Zworykin.exe "C:\Users\user\AppData\Local\oxman\Zworykin.exe"
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\oxman\Zworykin.exe"
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process created: C:\Users\user\AppData\Local\oxman\Zworykin.exe "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\oxman\Zworykin.exe "C:\Users\user\AppData\Local\oxman\Zworykin.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\oxman\Zworykin.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Zworykin.exe, 00000002.00000003.1512681654.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000002.00000003.1512552164.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000005.00000003.1626700424.0000000004170000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000005.00000003.1626826692.0000000004310000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Zworykin.exe, 00000002.00000003.1512681654.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000002.00000003.1512552164.0000000003850000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000005.00000003.1626700424.0000000004170000.00000004.00001000.00020000.00000000.sdmp, Zworykin.exe, 00000005.00000003.1626826692.0000000004310000.00000004.00001000.00020000.00000000.sdmp

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EB4B37 LoadLibraryA,GetProcAddress,

0_2_00EB4B37

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00ED8945 push ecx; ret	0_2_00ED8958
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005A8945 push ecx; ret	2_2_005A8958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06931B4A push es; iretd	6_2_06931C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_06930006 push es; retf	6_2_0693001C

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

File created: C:\Users\user\AppData\Local\oxman\Zworykin.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00EB48D7
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F35376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00F35376
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_005848D7
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00605376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00605376

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00ED3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00ED3187

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	API/Special instruction interceptor: Address: F8607C
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	API/Special instruction interceptor: Address: 18B7114

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599647	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598378	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598116	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597881	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595995	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595055	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594062	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7561			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2282			Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-105377
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	API coverage: 4.4 %
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	API coverage: 4.8 %

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F1445A
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1C6D1 FindFirstFileW,FindClose,	0_2_00F1C6D1
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F1C75C
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F1EF95
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F1F0F2
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F1F3F3
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F137EF
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F13B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F13B12
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F1BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F1BCBC
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005E445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_005E445A
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EC6D1 FindFirstFileW,FindClose,	2_2_005EC6D1
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_005EC75C
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_005EEF95
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_005EF0F2
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_005EF3F3
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_005E37EF
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_005E3B12
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_005EBCBC

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EB49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599647	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599202	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598378	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598116	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597881	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595995	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595654	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595055	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594062	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: RegSvcs.exe, 00000006.00000002.2738706271.00000000010DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: wscript.exe, 00000004.00000002.1613624274.000002D281E14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegSvcs.exe, 00000003.00000002.2738707568.0000000001299000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0158C168 LdrInitializeThunk,LdrInitializeThunk,

3_2_0158C168

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F23F09 BlockInput,

0_2_00F23F09

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EB3B3A

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EE5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00EE5A7C

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EB4B37 LoadLibraryA,GetProcAddress,

0_2_00EB4B37

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_01855008 mov eax, dword ptr fs:[00000030h]	0_2_01855008
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_01853978 mov eax, dword ptr fs:[00000030h]	0_2_01853978
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_01854FA8 mov eax, dword ptr fs:[00000030h]	0_2_01854FA8
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00F862E8 mov eax, dword ptr fs:[00000030h]	2_2_00F862E8
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00F86348 mov eax, dword ptr fs:[00000030h]	2_2_00F86348
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_00F84CB8 mov eax, dword ptr fs:[00000030h]	2_2_00F84CB8
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 5_2_018B7380 mov eax, dword ptr fs:[00000030h]	5_2_018B7380
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 5_2_018B5D50 mov eax, dword ptr fs:[00000030h]	5_2_018B5D50
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 5_2_018B73E0 mov eax, dword ptr fs:[00000030h]	5_2_018B73E0

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F080A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00F080A9

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EDA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EDA155
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00EDA124 SetUnhandledExceptionFilter,	0_2_00EDA124
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_005AA155
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005AA124 SetUnhandledExceptionFilter,	2_2_005AA124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FB5008			Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C4A008			Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F087B1 LogonUserW,

0_2_00F087B1

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EB3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EB3B3A

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EB48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00EB48D7

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F14C7F mouse_event,

0_2_00F14C7F

Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\oxman\Zworykin.exe "C:\Users\user\AppData\Local\oxman\Zworykin.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\oxman\Zworykin.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F07CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00F07CAF

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00F0874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F0874B

Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, Zworykin.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Yeni Sat#U0131nalma Sipari#U015fi.exe, Zworykin.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00ED862B cpuid

0_2_00ED862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EE4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00EE4E87

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EF1E06 GetUserNameW,

0_2_00EF1E06

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EE3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00EE3F3A

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Code function: 0_2_00EB49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EB49A0

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 5684, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 5684, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 5684, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Zworykin.exe	Binary or memory string: WIN_81
Source: Zworykin.exe	Binary or memory string: WIN_XP
Source: Zworykin.exe	Binary or memory string: WIN_XPe
Source: Zworykin.exe	Binary or memory string: WIN_VISTA
Source: Zworykin.exe	Binary or memory string: WIN_7
Source: Zworykin.exe	Binary or memory string: WIN_8
Source: Zworykin.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2739762525.00000000031C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2739614789.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 5684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2764, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 5684, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 5684, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Zworykin.exe.3cb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Zworykin.exe.1c00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Zworykin.exe PID: 5684, type: MEMORYSTR

Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F26283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00F26283
Source: C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe	Code function: 0_2_00F26747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00F26747
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_005F6283
Source: C:\Users\user\AppData\Local\oxman\Zworykin.exe	Code function: 2_2_005F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_005F6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	12 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Yeni Sat#U0131nalma Sipari#U015fi.exe	44%	Virustotal		Browse
Yeni Sat#U0131nalma Sipari#U015fi.exe	66%	ReversingLabs	Win32.Spyware.Negasteal
Yeni Sat#U0131nalma Sipari#U015fi.exe	100%	Avira	TR/AD.SnakeStealer.bbyez

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\oxman\Zworykin.exe	100%	Avira	TR/AD.SnakeStealer.bbyez
C:\Users\user\AppData\Local\oxman\Zworykin.exe	66%	ReversingLabs	Win32.Spyware.Negasteal
C:\Users\user\AppData\Local\oxman\Zworykin.exe	44%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.64.1	true	false	high
checkip.dyndns.com	193.122.6.168	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Zworykin.exe, 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Zworykin.exe, 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000003.00000002.2739762525.000000000310D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.2739762525.000000000310D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.2739762525.00000000030DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002EDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002EF2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.2739762525.00000000030C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	Zworykin.exe, 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Zworykin.exe, 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Zworykin.exe, 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2739762525.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, Zworykin.exe, 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2739614789.0000000002F09000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
104.21.64.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636424
Start date and time:	2025-03-12 19:13:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Yeni Sat#U0131nalma Sipari#U015fi.exe renamed because original name is a hash value
Original Sample Name:	Yeni Satnalma Siparii.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 50 Number of non-executed functions: 287
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:15:22	API Interceptor	805535x Sleep call for process: RegSvcs.exe modified
19:14:50	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	checkip.dyndns.org/
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	New Order RFQ- 19A20060.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	INQ_NO_097590_0109_Order.cmd	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	SIP_20252701095738583757327401213.bat.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	4kobC6KGC3.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	p7wgyD3kbI.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	hcy2SdW2z6.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	C7fclY8IiM.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	oybsEA5EhR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
104.21.64.1	Compliance_Review_Documents_COSCO20250307_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	0xHPSESJcg.exe	Get hash	malicious	FormBook	Browse	www.otogel.pro/oi08/?Ezu=HLGOigk8zC7c6l2lrMh01rQ2OJKxivxPRh38Fqcsh+790en3zOTPiNsvxvX68DUiI9Ju&q6A=GbtXjbKPa
	7zKn77RsRX.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/3nis/
	IBbGrGi4A7.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ysWQ4BqQrF.exe	Get hash	malicious	FormBook	Browse	www.play-vanguard-nirvana.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDzbC4NqmTLwL8cGw==
	TXzf0xX2uq.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	begin.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	www.kdrqcyusevx.info/z84n/
	Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/fix/five/fre.php
	Payment.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	7RryusxiMtHBz80.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	193.122.6.168
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
reallyfreegeoip.org	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	104.21.16.1
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	193.122.6.168
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	cbr.m68k.elf	Get hash	malicious	Mirai	Browse	144.25.156.103
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	http://account.hrblock.com	Get hash	malicious	Unknown	Browse	130.61.120.2
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	PAGOS RETRASADOS.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
CLOUDFLARENETUS	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	Robert Martin shared _Clarion Security _ with you {Ref _8589}.eml	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	104.18.35.178
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	https://check.tefee.icu/gkcxv.google?i=ee24ce31-7ff2-4ac9-8683-49d2f7670b48%20#%20''I%20am%20not%20a%20'robot'%20-%20%D0%B3e%D0%A1%D0%90%D0%A0%D0%A2%D0%A1%D0%9D%D0%90%20Verification%20ID:%203259''	Get hash	malicious	Unknown	Browse	104.21.80.1
	signed contract 01.xls	Get hash	malicious	Unknown	Browse	104.21.68.120
	https://www.deliveryoka.com/webservice_ionic/captchav2.html?vv	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	1.1.1.1
	Document.xls	Get hash	malicious	Unknown	Browse	104.21.68.120
	signed contract 01.xls	Get hash	malicious	Unknown	Browse	104.21.68.120
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	172.67.148.163
	Document.xls	Get hash	malicious	Unknown	Browse	104.21.68.120

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Way bill & Invoice.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	file.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	R9rwNLVzpr.exe	Get hash	malicious	Phemedrone Stealer	Browse	104.21.64.1

Process:	C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe
File Type:	data
Category:	dropped
Size (bytes):	58900
Entropy (8bit):	7.880253455716329
Encrypted:	false
SSDEEP:	1536:3CtdlZtXNm0069iyyShTKzDLCezAm16zQAX4Q:3MlPNcP9zAQAr
MD5:	B7EFB3977EB98601161A62D94EB45CCF
SHA1:	86816DDB393A2F65BFCF32E5E19CECF9E1F5E64A
SHA-256:	2A74362253C4CB5D174114D46CB826E5A1C0DBDDF0420F91BC021386C305460A
SHA-512:	7824E3E4F48807CEEF33517569D7F438E1004AC2274EE847694CD46BC5138041D6ED3369DCA3FA3D9A83323CEF41D9282904976C438E5DCA1CBAC670BB693411
Malicious:	false
Reputation:	low
Preview:	EA06..n..GyTJl.o5..h...>.G.Q)......Qf.z=h.;4@....Nj_...^.^.....)c..ivZ..Q=.K.Qz.ZG..b.Y..m;...l....N.....u:..............Cp .Z..h.t..G.H).y......-n.N..?..(.q.....D.oM..Ff..5..Z.Z..Tb.8..j.zU..'..j..,....p.N..i...9.U.....w...) !_..w.m.N)....F(....WmtI..\..`..jm..p...8...7.....T.4..1. ......<....M..X..CT.T..z.....T'@.....5.F....G..5z<H.8..fT...0..+@B...D.`..B.......\.s..Tf..@..&.Zu.}M...j..T@.#17.......t.8Z..3;..'.....p.......B.8V@.3D.Y..y...b.Q..z=j.N..h.jm.e.....o7....I...t..9.@-.}`.Qg]z.j.J.D..z?.{E.T..%7.!......aW......k7.[..Y...Z.Q&........z...N...M.J'C.Q.T+0..=..g.Y.^...Ge3x.:.8....M..3.Mc......V...L.k7.........TG&....8../.{...U.....%"._..9..B...M.....a9..)..a]../....k7..".I.^.Z..&..0.a..S..z...!.....5..W..&....%..1....%...c....-D.Lf....qE.F@..t~...G@..dro7.....b.m.Q)....1D.Q....".3.G.?).Vyv..#...6....3./P..t..o3Ix.....bQ..WsO..&.y.....Uhrx=:o3..i.n5BKW..(..U..`.Q../D.".8M.3...Q}..i.;t.k6.e5.(E..D.Ov. .BE......^S....I.jU..p.{p.0.d.'Pp.....

C:\Users\user\AppData\Local\Temp\aut21E5.tmp

Download File

Process:	C:\Users\user\AppData\Local\oxman\Zworykin.exe
File Type:	data
Category:	dropped
Size (bytes):	58900
Entropy (8bit):	7.880253455716329
Encrypted:	false
SSDEEP:	1536:3CtdlZtXNm0069iyyShTKzDLCezAm16zQAX4Q:3MlPNcP9zAQAr
MD5:	B7EFB3977EB98601161A62D94EB45CCF
SHA1:	86816DDB393A2F65BFCF32E5E19CECF9E1F5E64A
SHA-256:	2A74362253C4CB5D174114D46CB826E5A1C0DBDDF0420F91BC021386C305460A
SHA-512:	7824E3E4F48807CEEF33517569D7F438E1004AC2274EE847694CD46BC5138041D6ED3369DCA3FA3D9A83323CEF41D9282904976C438E5DCA1CBAC670BB693411
Malicious:	false
Reputation:	low
Preview:	EA06..n..GyTJl.o5..h...>.G.Q)......Qf.z=h.;4@....Nj_...^.^.....)c..ivZ..Q=.K.Qz.ZG..b.Y..m;...l....N.....u:..............Cp .Z..h.t..G.H).y......-n.N..?..(.q.....D.oM..Ff..5..Z.Z..Tb.8..j.zU..'..j..,....p.N..i...9.U.....w...) !_..w.m.N)....F(....WmtI..\..`..jm..p...8...7.....T.4..1. ......<....M..X..CT.T..z.....T'@.....5.F....G..5z<H.8..fT...0..+@B...D.`..B.......\.s..Tf..@..&.Zu.}M...j..T@.#17.......t.8Z..3;..'.....p.......B.8V@.3D.Y..y...b.Q..z=j.N..h.jm.e.....o7....I...t..9.@-.}`.Qg]z.j.J.D..z?.{E.T..%7.!......aW......k7.[..Y...Z.Q&........z...N...M.J'C.Q.T+0..=..g.Y.^...Ge3x.:.8....M..3.Mc......V...L.k7.........TG&....8../.{...U.....%"._..9..B...M.....a9..)..a]../....k7..".I.^.Z..&..0.a..S..z...!.....5..W..&....%..1....%...c....-D.Lf....qE.F@..t~...G@..dro7.....b.m.Q)....1D.Q....".3.G.?).Vyv..#...6....3./P..t..o3Ix.....bQ..WsO..&.y.....Uhrx=:o3..i.n5BKW..(..U..`.Q../D.".8M.3...Q}..i.;t.k6.e5.(E..D.Ov. .BE......^S....I.jU..p.{p.0.d.'Pp.....

C:\Users\user\AppData\Local\Temp\aut4D0C.tmp

Download File

Process:	C:\Users\user\AppData\Local\oxman\Zworykin.exe
File Type:	data
Category:	dropped
Size (bytes):	58900
Entropy (8bit):	7.880253455716329
Encrypted:	false
SSDEEP:	1536:3CtdlZtXNm0069iyyShTKzDLCezAm16zQAX4Q:3MlPNcP9zAQAr
MD5:	B7EFB3977EB98601161A62D94EB45CCF
SHA1:	86816DDB393A2F65BFCF32E5E19CECF9E1F5E64A
SHA-256:	2A74362253C4CB5D174114D46CB826E5A1C0DBDDF0420F91BC021386C305460A
SHA-512:	7824E3E4F48807CEEF33517569D7F438E1004AC2274EE847694CD46BC5138041D6ED3369DCA3FA3D9A83323CEF41D9282904976C438E5DCA1CBAC670BB693411
Malicious:	false
Reputation:	low
Preview:	EA06..n..GyTJl.o5..h...>.G.Q)......Qf.z=h.;4@....Nj_...^.^.....)c..ivZ..Q=.K.Qz.ZG..b.Y..m;...l....N.....u:..............Cp .Z..h.t..G.H).y......-n.N..?..(.q.....D.oM..Ff..5..Z.Z..Tb.8..j.zU..'..j..,....p.N..i...9.U.....w...) !_..w.m.N)....F(....WmtI..\..`..jm..p...8...7.....T.4..1. ......<....M..X..CT.T..z.....T'@.....5.F....G..5z<H.8..fT...0..+@B...D.`..B.......\.s..Tf..@..&.Zu.}M...j..T@.#17.......t.8Z..3;..'.....p.......B.8V@.3D.Y..y...b.Q..z=j.N..h.jm.e.....o7....I...t..9.@-.}`.Qg]z.j.J.D..z?.{E.T..%7.!......aW......k7.[..Y...Z.Q&........z...N...M.J'C.Q.T+0..=..g.Y.^...Ge3x.:.8....M..3.Mc......V...L.k7.........TG&....8../.{...U.....%"._..9..B...M.....a9..)..a]../....k7..".I.^.Z..&..0.a..S..z...!.....5..W..&....%..1....%...c....-D.Lf....qE.F@..t~...G@..dro7.....b.m.Q)....1D.Q....".3.G.?).Vyv..#...6....3./P..t..o3Ix.....bQ..WsO..&.y.....Uhrx=:o3..i.n5BKW..(..U..`.Q../D.".8M.3...Q}..i.;t.k6.e5.(E..D.Ov. .BE......^S....I.jU..p.{p.0.d.'Pp.....

C:\Users\user\AppData\Local\Temp\unspawned

Download File

Process:	C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.734198755753971
Encrypted:	false
SSDEEP:	1536:HwdylCQQHh6Bft7ev9rpOTBwAakcwYSxC/JnJiMZvizpV0lxfIgqpzZh:HCSCyBft7ev9rkWAaPjSxOnJiMZv4pvH
MD5:	0D8989349BCD3E13BBAFE5F564D65372
SHA1:	71DD02528D0BEC64809D1174AB804E08F5394D54
SHA-256:	326E60050D17E7FFF251B0D7DDF841323A6FC7245E458CE41B0D712734464E8D
SHA-512:	6BD6D2BFFCE8B8CC5B189D96BCAF453BAA471D707CFBCF9C76FC4C392BD2E92E70682F88894ECC202318189EA53AD47E104022F5FFFE586242390480E523B96D
Malicious:	false
Reputation:	low
Preview:	...DM7753MD8..WG.DN7757M.8E0WGZDN7757MD8E0WGZDN7757MD8E0WGZD.7759R.6E.^.{.O{..c%-Ke@%(=6/Z.VV#W1.5"z6;Y.\Ym.w..:(>!`::?.MD8E0WG..N7{44M.V..WGZDN775.MF9N1.GZ O77=7MD8E0..[DN.757.E8E0.GZdN7777M@8E0WGZDH7757MD8E.VGZFN7757MF8%.WGJDN'757MT8E WGZDN7'57MD8E0WGZD..65xMD8E.VG.AN7757MD8E0WGZDN7757.E8I0WGZDN7757MD8E0WGZDN7757MD8E0WGZDN7757MD8E0WGZDN7757mD8M0WGZDN7757ML.E0.GZDN7757MD8kD2?.DN7.W6MD.E0W#[DN5757MD8E0WGZDN7.57-jJ6B4GZD.2757.E8E6WGZ"O7757MD8E0WGZD.77u.?!TSWGVDN77.6MD:E0W+[DN7757MD8E0WG.DNu757MD8E0WGZDN775..E8E0WG.DN7552M8.E0..ZDM775mMD>..WG.DN7757MD8E0WGZDN7757MD8E0WGZDN7757MD8E0WGZD.J.:...Q6..GZDN7745N@>M8WGZDN775IMD8.0WG.DN7.57Ma8E0:GZDj775IMD8;0WG>DN7E57M%8E0.GZD!775YMD8;0WGDFf(75=gb8G.wGZNN..F.MD2.1WG^7l77?.OD8ACtGZN.4753>`8E:.CZDJD.57G.=E0Sm.DM.!37M_W}0WMZG."157Vn.E2.~ZDD7..7N.-C0W\pfN5.<7M@..CJGZBfu75=9M8E2.MZDJ.)7..D8O.u9IDN3.5.o:,E0SlZnlI"57Io8o.)QZDJ.7..3S8E4\|GpBdU7G.ADHF_6GZBf.75=e.8E6Wm`D09753O+.E0]ap~N.g57KD..0WAZn.7I.7M@.BNdGZ@e!I.7M@.CHWG\7.77?..w8E4..ZDD7..7e.8E6Wo.DN1

C:\Users\user\AppData\Local\oxman\Zworykin.exe

Download File

Process:	C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	960512
Entropy (8bit):	6.836951326994132
Encrypted:	false
SSDEEP:	24576:ku6J33O0c+JY5UZ+XC0kGso6FaIH6FYvsNWY:eu0c++OCvkGs9FaIaF+Y
MD5:	1D6FBCCFA75078F519145C919BF1F9C4
SHA1:	8655F9FF87B27957A1B27FC527A2C1BB1EF753F4
SHA-256:	B74744471B823E007F6BA0D453869112B604EDD2D3AA93AD5CB955858AF54C35
SHA-512:	180E0CF94BB264942A93B6B70271AE1D82BA045460001C49EAC9319C748E89187003DC9BF144DA506DA245BF3DD3EC9B59DB31AAF3CD7E12000A32A689FCB78C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 66% Antivirus: Virustotal, Detection: 44%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L......g.........."..................}............@.......................................@...@.......@.....................L...\|....p...........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc........p... ..................@..@.reloc...q.......r...6..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs

Download File

Process:	C:\Users\user\AppData\Local\oxman\Zworykin.exe
File Type:	data
Category:	dropped
Size (bytes):	274
Entropy (8bit):	3.456666865215544
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclzXUEZ+lX1KloAAnriIM8lfQVn:DsO+vNlDQ19AGmA2n
MD5:	1297B9DB5BD065CCF4A2E43E528156D2
SHA1:	839F61BFB15CB0B66453E2E7C7CFF4F279B4EAEE
SHA-256:	3A9A8DD1659881118B22165B05B2AD47ECFE285657375905B0BF565E97044954
SHA-512:	91FAAEFABA6889EF620E73DA193FF79DFEA572AAE851A777C3A8D7C1D33FDF10803F78192F3F2851D8CF4B2E4BB15FD8CE6F15BEC65B98E1B5F3876494C471CD
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.o.x.m.a.n.\.Z.w.o.r.y.k.i.n...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.836951326994132
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Yeni Sat#U0131nalma Sipari#U015fi.exe
File size:	960'512 bytes
MD5:	1d6fbccfa75078f519145c919bf1f9c4
SHA1:	8655f9ff87b27957a1b27fc527a2c1bb1ef753f4
SHA256:	b74744471b823e007f6ba0d453869112b604edd2d3aa93ad5cb955858af54c35
SHA512:	180e0cf94bb264942a93b6b70271ae1d82ba045460001c49eac9319c748e89187003dc9bf144da506da245bf3dd3ec9b59db31aaf3cd7e12000a32a689fcb78c
SSDEEP:	24576:ku6J33O0c+JY5UZ+XC0kGso6FaIH6FYvsNWY:eu0c++OCvkGs9FaIaF+Y
TLSH:	5015AE2273DDC360CB669173BF6AB7016EBF3C610630B95B2F980D7DA950161262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D0F7C4 [Wed Mar 12 02:56:04 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F8FB0CA2F6Ah
jmp 00007F8FB0C95D34h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F8FB0C95EBAh
cmp edi, eax
jc 00007F8FB0C9621Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F8FB0C95EB9h
rep movsb
jmp 00007F8FB0C961CCh
cmp ecx, 00000080h
jc 00007F8FB0C96084h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F8FB0C95EC0h
bt dword ptr [004BE324h], 01h
jc 00007F8FB0C96390h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F8FB0C9605Dh
test edi, 00000003h
jne 00007F8FB0C9606Eh
test esi, 00000003h
jne 00007F8FB0C9604Dh
bt edi, 02h
jnc 00007F8FB0C95EBFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F8FB0C95EC3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F8FB0C95F15h
bt esi, 03h
jnc 00007F8FB0C95F68h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x21e84	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe9000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x21e84	0x22000	201e0401bf2264736890a1b0f828847b	False	0.8052978515625	data	7.554456077065501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe9000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1914b	data			1.000399100563608
RT_GROUP_ICON	0xe8904	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe897c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe8990	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe89a4	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe89b8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe8a94	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-12T19:14:51.873284+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49689	193.122.6.168	80	TCP
2025-03-12T19:15:25.888909+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49695	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 19:14:50.995230913 CET	49689	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:14:50.999973059 CET	80	49689	193.122.6.168	192.168.2.6
Mar 12, 2025 19:14:51.000334978 CET	49689	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:14:51.000652075 CET	49689	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:14:51.005326986 CET	80	49689	193.122.6.168	192.168.2.6
Mar 12, 2025 19:14:51.632642031 CET	80	49689	193.122.6.168	192.168.2.6
Mar 12, 2025 19:14:51.637653112 CET	49689	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:14:51.642374039 CET	80	49689	193.122.6.168	192.168.2.6
Mar 12, 2025 19:14:51.824301958 CET	80	49689	193.122.6.168	192.168.2.6
Mar 12, 2025 19:14:51.837338924 CET	49690	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:14:51.837388992 CET	443	49690	104.21.64.1	192.168.2.6
Mar 12, 2025 19:14:51.837506056 CET	49690	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:14:51.848875046 CET	49690	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:14:51.848910093 CET	443	49690	104.21.64.1	192.168.2.6
Mar 12, 2025 19:14:51.873284101 CET	49689	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:14:53.588781118 CET	443	49690	104.21.64.1	192.168.2.6
Mar 12, 2025 19:14:53.588900089 CET	49690	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:14:53.594755888 CET	49690	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:14:53.594777107 CET	443	49690	104.21.64.1	192.168.2.6
Mar 12, 2025 19:14:53.595259905 CET	443	49690	104.21.64.1	192.168.2.6
Mar 12, 2025 19:14:53.638859034 CET	49690	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:14:53.654202938 CET	49690	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:14:53.696336031 CET	443	49690	104.21.64.1	192.168.2.6
Mar 12, 2025 19:14:54.110003948 CET	443	49690	104.21.64.1	192.168.2.6
Mar 12, 2025 19:14:54.110069036 CET	443	49690	104.21.64.1	192.168.2.6
Mar 12, 2025 19:14:54.110210896 CET	49690	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:14:54.131803989 CET	49690	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:15:02.342931986 CET	49691	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:02.348253965 CET	80	49691	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:02.348357916 CET	49691	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:02.348588943 CET	49691	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:02.353358984 CET	80	49691	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:23.730432034 CET	80	49691	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:23.730808020 CET	49691	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:23.757844925 CET	49691	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:23.760055065 CET	49694	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:23.762569904 CET	80	49691	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:23.764820099 CET	80	49694	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:23.764909983 CET	49694	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:23.765028954 CET	49694	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:23.769655943 CET	80	49694	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:25.092437983 CET	80	49694	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:25.138931990 CET	49694	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:25.140484095 CET	49694	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:25.141489029 CET	49695	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:25.145354033 CET	80	49694	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:25.145442009 CET	49694	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:25.146163940 CET	80	49695	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:25.146234035 CET	49695	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:25.146342039 CET	49695	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:25.150943995 CET	80	49695	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:25.842781067 CET	80	49695	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:25.851145983 CET	49696	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:15:25.851200104 CET	443	49696	104.21.64.1	192.168.2.6
Mar 12, 2025 19:15:25.851269960 CET	49696	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:15:25.874676943 CET	49696	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:15:25.874694109 CET	443	49696	104.21.64.1	192.168.2.6
Mar 12, 2025 19:15:25.888909101 CET	49695	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:15:27.662354946 CET	443	49696	104.21.64.1	192.168.2.6
Mar 12, 2025 19:15:27.662451029 CET	49696	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:15:27.665417910 CET	49696	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:15:27.665426970 CET	443	49696	104.21.64.1	192.168.2.6
Mar 12, 2025 19:15:27.665724993 CET	443	49696	104.21.64.1	192.168.2.6
Mar 12, 2025 19:15:27.717082024 CET	49696	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:15:27.752480030 CET	49696	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:15:27.800318956 CET	443	49696	104.21.64.1	192.168.2.6
Mar 12, 2025 19:15:28.313287020 CET	443	49696	104.21.64.1	192.168.2.6
Mar 12, 2025 19:15:28.315983057 CET	443	49696	104.21.64.1	192.168.2.6
Mar 12, 2025 19:15:28.316099882 CET	49696	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:15:28.320988894 CET	49696	443	192.168.2.6	104.21.64.1
Mar 12, 2025 19:15:56.824007034 CET	80	49689	193.122.6.168	192.168.2.6
Mar 12, 2025 19:15:56.824258089 CET	49689	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:16:30.843693018 CET	80	49695	193.122.6.168	192.168.2.6
Mar 12, 2025 19:16:30.844038010 CET	49695	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:16:31.826908112 CET	49689	80	192.168.2.6	193.122.6.168
Mar 12, 2025 19:16:31.831743002 CET	80	49689	193.122.6.168	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 12, 2025 19:14:50.940704107 CET	61106	53	192.168.2.6	1.1.1.1
Mar 12, 2025 19:14:50.989089966 CET	53	61106	1.1.1.1	192.168.2.6
Mar 12, 2025 19:14:51.826112032 CET	49408	53	192.168.2.6	1.1.1.1
Mar 12, 2025 19:14:51.836218119 CET	53	49408	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 12, 2025 19:14:50.940704107 CET	192.168.2.6	1.1.1.1	0x3a30	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:51.826112032 CET	192.168.2.6	1.1.1.1	0x5567	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 12, 2025 19:14:50.989089966 CET	1.1.1.1	192.168.2.6	0x3a30	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 12, 2025 19:14:50.989089966 CET	1.1.1.1	192.168.2.6	0x3a30	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:50.989089966 CET	1.1.1.1	192.168.2.6	0x3a30	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:50.989089966 CET	1.1.1.1	192.168.2.6	0x3a30	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:50.989089966 CET	1.1.1.1	192.168.2.6	0x3a30	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:50.989089966 CET	1.1.1.1	192.168.2.6	0x3a30	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:51.836218119 CET	1.1.1.1	192.168.2.6	0x5567	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:51.836218119 CET	1.1.1.1	192.168.2.6	0x5567	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:51.836218119 CET	1.1.1.1	192.168.2.6	0x5567	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:51.836218119 CET	1.1.1.1	192.168.2.6	0x5567	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:51.836218119 CET	1.1.1.1	192.168.2.6	0x5567	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:51.836218119 CET	1.1.1.1	192.168.2.6	0x5567	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 12, 2025 19:14:51.836218119 CET	1.1.1.1	192.168.2.6	0x5567	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49689	193.122.6.168	80	6392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 12, 2025 19:14:51.000652075 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 12, 2025 19:14:51.632642031 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:14:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 12, 2025 19:14:51.637653112 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 12, 2025 19:14:51.824301958 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:14:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49691	193.122.6.168	80	2764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 12, 2025 19:15:02.348588943 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49694	193.122.6.168	80	2764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 12, 2025 19:15:23.765028954 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 12, 2025 19:15:25.092437983 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:15:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49695	193.122.6.168	80	2764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 12, 2025 19:15:25.146342039 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 12, 2025 19:15:25.842781067 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:15:25 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49690	104.21.64.1	443	6392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 18:14:53 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-12 18:14:54 UTC	853	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:14:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 211766 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 07:25:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QNomZtcmhHsTIHhIvQ3MllLr5Lqvkl4cTMqMnvpqt8WNYZ100vzdLr%2ByR6DCyzrNUEUY9qgytDCmw58HtQQ9vmTpmKh6KGTuhpll5e53U2AWeYQeU1akU0gN8RKqklEgXZAUU9Co"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f5461aedfc7a5f-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=148811&min_rtt=29401&rtt_var=95966&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=98479&cwnd=220&unsent_bytes=0&cid=d67d714a779f24fe&ts=537&x=0"
2025-03-12 18:14:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49696	104.21.64.1	443	2764	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-12 18:15:27 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-12 18:15:28 UTC	860	IN	HTTP/1.1 200 OK Date: Wed, 12 Mar 2025 18:15:27 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 211800 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Mon, 10 Mar 2025 07:25:27 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k7hKZWdrR4f5LCTUW%2BvHS0%2FDv1FfssYL5hS%2BAkrj8suEfPXcphwk%2FacaagzGRzk1QjKKmcXJEYbULQwghMX07La7rIpYhhu03F3DfMmssLPsS1hU5vT7mwO0K1vowz%2Bfnb2yrAgp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f546efb97de25e-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=50729&min_rtt=41977&rtt_var=33247&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4252&recv_bytes=699&delivery_rate=25983&cwnd=251&unsent_bytes=0&cid=42d32ae856bdaeb1&ts=606&x=0"
2025-03-12 18:15:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	14:14:46
Start date:	12/03/2025
Path:	C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe"
Imagebase:	0xeb0000
File size:	960'512 bytes
MD5 hash:	1D6FBCCFA75078F519145C919BF1F9C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:14:47
Start date:	12/03/2025
Path:	C:\Users\user\AppData\Local\oxman\Zworykin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe"
Imagebase:	0x580000
File size:	960'512 bytes
MD5 hash:	1D6FBCCFA75078F519145C919BF1F9C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.1516199549.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Avira Detection: 66%, ReversingLabs Detection: 44%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:14:49
Start date:	12/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Yeni Sat#U0131nalma Sipari#U015fi.exe"
Imagebase:	0xcb0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2738480123.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2739762525.00000000031C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:14:58
Start date:	12/03/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs"
Imagebase:	0x7ff7548d0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:14:59
Start date:	12/03/2025
Path:	C:\Users\user\AppData\Local\oxman\Zworykin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\oxman\Zworykin.exe"
Imagebase:	0x580000
File size:	960'512 bytes
MD5 hash:	1D6FBCCFA75078F519145C919BF1F9C4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000005.00000002.1631102681.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:15:00
Start date:	12/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\oxman\Zworykin.exe"
Imagebase:	0xbd0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2739614789.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Yeni Sat#U0131nalma Sipari#U015fi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut1BCA.tmp

C:\Users\user\AppData\Local\Temp\aut21E5.tmp

C:\Users\user\AppData\Local\Temp\aut4D0C.tmp

C:\Users\user\AppData\Local\Temp\unspawned

C:\Users\user\AppData\Local\oxman\Zworykin.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zworykin.vbs

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
Yeni Sat#U0131nalma Sipari#U015fi.exe