Edit tour

Windows Analysis Report
8QeI7CboDY.exe

Overview

General Information

Sample name:	8QeI7CboDY.exe renamed because original name is a hash value
Original sample name:	709a4ffec76d0c7715cb6a69a3610ede.exe
Analysis ID:	1636870
MD5:	709a4ffec76d0c7715cb6a69a3610ede
SHA1:	172283b9521e8530d1d35d6ebd3e58b448949a4c
SHA256:	b46c0a570d881198169c6cc53bb5e525e294fbc86e527e214926a9fc44e96981
Tags:	exeMassLoggeruser-abuse_ch
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

8QeI7CboDY.exe (PID: 7608 cmdline: "C:\Users\user\Desktop\8QeI7CboDY.exe" MD5: 709A4FFEC76D0C7715CB6A69A3610EDE)

RegSvcs.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\8QeI7CboDY.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7996508565:AAHHBM6wSJS6GosO-ff2t38cxPw1t-vbBj8", "Telegram Chatid": "5758197122"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefdf:$a1: get_encryptedPassword 0xf307:$a2: get_encryptedUsername 0xed7a:$a3: get_timePasswordChanged 0xee9b:$a4: get_passwordField 0xeff5:$a5: set_encryptedPassword 0x10951:$a7: get_logins 0x10602:$a8: GetOutlookPasswords 0x103f4:$a9: StartKeylogger 0x108a1:$a10: KeyLoggerEventArgs 0x10451:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.2406091506.0000000002935000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
Process Memory Space: 8QeI7CboDY.exe PID: 7608	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: 8QeI7CboDY.exe PID: 7608	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 8QeI7CboDY.exe PID: 7608	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: 8QeI7CboDY.exe PID: 7608	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: 8QeI7CboDY.exe PID: 7608	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1aa671:$a1: get_encryptedPassword 0x1aa98a:$a2: get_encryptedUsername 0x1aa420:$a3: get_timePasswordChanged 0x1aa541:$a4: get_passwordField 0x1aa687:$a5: set_encryptedPassword 0x1abf8a:$a7: get_logins 0x1abc3b:$a8: GetOutlookPasswords 0x1aba2d:$a9: StartKeylogger 0x1abeda:$a10: KeyLoggerEventArgs 0x1aba8a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7624	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7624	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7624	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7624	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7624	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3b89e:$a1: get_encryptedPassword 0x3bbb7:$a2: get_encryptedUsername 0x3b64d:$a3: get_timePasswordChanged 0x3b76e:$a4: get_passwordField 0x3b8b4:$a5: set_encryptedPassword 0x3d1b7:$a7: get_logins 0x3ce68:$a8: GetOutlookPasswords 0x3cc5a:$a9: StartKeylogger 0x3d107:$a10: KeyLoggerEventArgs 0x3ccb7:$a11: KeyLoggerEventArgsEventHandler
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.8QeI7CboDY.exe.a90000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.8QeI7CboDY.exe.a90000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.8QeI7CboDY.exe.a90000.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.8QeI7CboDY.exe.a90000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.8QeI7CboDY.exe.a90000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
0.2.8QeI7CboDY.exe.a90000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
1.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
1.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.RegSvcs.exe.600000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
1.2.RegSvcs.exe.600000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
0.2.8QeI7CboDY.exe.a90000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.8QeI7CboDY.exe.a90000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.8QeI7CboDY.exe.a90000.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.8QeI7CboDY.exe.a90000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.8QeI7CboDY.exe.a90000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
0.2.8QeI7CboDY.exe.a90000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
Click to see the 13 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T08:13:47.466752+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49711	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8QeI7CboDY.exe

Avira: detected

Found malware configuration

Source: 00000001.00000002.2406091506.0000000002811000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7996508565:AAHHBM6wSJS6GosO-ff2t38cxPw1t-vbBj8", "Telegram Chatid": "5758197122"}

Multi AV Scanner detection for submitted file

Source: 8QeI7CboDY.exe	Virustotal: Detection: 41%			Perma Link
Source: 8QeI7CboDY.exe	ReversingLabs: Detection: 55%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 8QeI7CboDY.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49712 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: 8QeI7CboDY.exe, 00000000.00000003.1153610450.0000000003610000.00000004.00001000.00020000.00000000.sdmp, 8QeI7CboDY.exe, 00000000.00000003.1153873772.0000000003470000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 8QeI7CboDY.exe, 00000000.00000003.1153610450.0000000003610000.00000004.00001000.00020000.00000000.sdmp, 8QeI7CboDY.exe, 00000000.00000003.1153873772.0000000003470000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0059445A
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059C6D1 FindFirstFileW,FindClose,	0_2_0059C6D1
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0059C75C
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0059EF95
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0059F0F2
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0059F3F3
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005937EF
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00593B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00593B12
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0059BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 025F5782h	1_2_025F5358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 025F51B9h	1_2_025F4F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 025F5782h	1_2_025F56AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FC7D8h	1_2_050FC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F0FF1h	1_2_050F0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FF028h	1_2_050FED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FD088h	1_2_050FCDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F1935h	1_2_050F15F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FDEC8h	1_2_050FDC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F3EF8h	1_2_050F3C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FBF28h	1_2_050FBC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F0741h	1_2_050F0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FE778h	1_2_050FE4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F31F0h	1_2_050F2F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FB220h	1_2_050FAF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F3AA0h	1_2_050F37F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FA0C0h	1_2_050F9E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FF8D8h	1_2_050FF630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FD93Ah	1_2_050FD690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FA970h	1_2_050FA6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FEBD0h	1_2_050FE928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FCC30h	1_2_050FC988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F1449h	1_2_050F11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FF480h	1_2_050FF1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FBAD0h	1_2_050FB828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F02E9h	1_2_050F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FE320h	1_2_050FE078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F4350h	1_2_050F40A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FC380h	1_2_050FC0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F0B99h	1_2_050F08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FADC8h	1_2_050FAB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F3648h	1_2_050F33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FB678h	1_2_050FB3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FD4E0h	1_2_050FD238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FA518h	1_2_050FA270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050FFD30h	1_2_050FFA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050F2D98h	1_2_050F2AF0

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49711 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005A22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_005A22EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2406091506.000000000287E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000001.00000002.2406091506.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: 8QeI7CboDY.exe, 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000001.00000002.2406091506.00000000028AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000001.00000002.2406091506.00000000028AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000001.00000002.2406091506.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 8QeI7CboDY.exe, 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: 8QeI7CboDY.exe, 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_005A4164

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_005A4164

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005A3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_005A3F66

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_0059001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0059001C

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005BCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005BCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.8QeI7CboDY.exe.a90000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.8QeI7CboDY.exe.a90000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: 8QeI7CboDY.exe PID: 7608, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00533B3A
Source: 8QeI7CboDY.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 8QeI7CboDY.exe, 00000000.00000000.1142867981.00000000005E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cb90d4e4-e
Source: 8QeI7CboDY.exe, 00000000.00000000.1142867981.00000000005E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_4010c816-3
Source: 8QeI7CboDY.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_923fdec0-6
Source: 8QeI7CboDY.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_60fc69e4-b

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_0059A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0059A1EF

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00588310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00588310

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_005951BD

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0053E6A0	0_2_0053E6A0
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0055D975	0_2_0055D975
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0053FCE0	0_2_0053FCE0
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005521C5	0_2_005521C5
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005662D2	0_2_005662D2
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005B03DA	0_2_005B03DA
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0056242E	0_2_0056242E
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005525FA	0_2_005525FA
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0058E616	0_2_0058E616
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005466E1	0_2_005466E1
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0056878F	0_2_0056878F
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005B0857	0_2_005B0857
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00566844	0_2_00566844
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00548808	0_2_00548808
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00598889	0_2_00598889
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0055CB21	0_2_0055CB21
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00566DB6	0_2_00566DB6
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00546F9E	0_2_00546F9E
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00543030	0_2_00543030
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0055F1D9	0_2_0055F1D9
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00553187	0_2_00553187
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00531287	0_2_00531287
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00551484	0_2_00551484
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00545520	0_2_00545520
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00557696	0_2_00557696
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00545760	0_2_00545760
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00551978	0_2_00551978
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005B7DDB	0_2_005B7DDB
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00551D90	0_2_00551D90
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0055BDA6	0_2_0055BDA6
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0053DF00	0_2_0053DF00
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00543FE0	0_2_00543FE0
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00DD2D20	0_2_00DD2D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_025FC168	1_2_025FC168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_025FCA58	1_2_025FCA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_025F19B8	1_2_025F19B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_025F7E68	1_2_025F7E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_025F4F08	1_2_025F4F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_025F2DD1	1_2_025F2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_025FB9D0	1_2_025FB9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_025FB9E0	1_2_025FB9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_025F7E59	1_2_025F7E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_025F4EF8	1_2_025F4EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F6A20	1_2_050F6A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F4500	1_2_050F4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F0D3A	1_2_050F0D3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FC530	1_2_050FC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F0D48	1_2_050F0D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FED73	1_2_050FED73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FED80	1_2_050FED80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FCDD3	1_2_050FCDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F15EA	1_2_050F15EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FCDE0	1_2_050FCDE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F15F8	1_2_050F15F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FDC11	1_2_050FDC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FDC20	1_2_050FDC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F3C4B	1_2_050F3C4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F1C49	1_2_050F1C49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F1C58	1_2_050F1C58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F3C50	1_2_050F3C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FBC73	1_2_050FBC73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F048A	1_2_050F048A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FBC80	1_2_050FBC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F0498	1_2_050F0498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FE4C7	1_2_050FE4C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FE4D0	1_2_050FE4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F2F3F	1_2_050F2F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F2F48	1_2_050F2F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FAF78	1_2_050FAF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FAF73	1_2_050FAF73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F37F8	1_2_050F37F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F37F3	1_2_050F37F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F9E0B	1_2_050F9E0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F9E18	1_2_050F9E18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FF620	1_2_050FF620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FF630	1_2_050FF630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FD687	1_2_050FD687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FD690	1_2_050FD690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FA6BB	1_2_050FA6BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FA6C8	1_2_050FA6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FE918	1_2_050FE918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FE928	1_2_050FE928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FC97B	1_2_050FC97B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F118F	1_2_050F118F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FC988	1_2_050FC988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F11A0	1_2_050F11A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FF1D8	1_2_050FF1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FF1D3	1_2_050FF1D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F001F	1_2_050F001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FB81B	1_2_050FB81B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FB828	1_2_050FB828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F0040	1_2_050F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FE078	1_2_050FE078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FE073	1_2_050FE073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F4098	1_2_050F4098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F40A8	1_2_050F40A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FC0CB	1_2_050FC0CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F08DF	1_2_050F08DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FC0D8	1_2_050FC0D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F08F0	1_2_050F08F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FAB13	1_2_050FAB13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FAB20	1_2_050FAB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F339B	1_2_050F339B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F33A0	1_2_050F33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FB3C1	1_2_050FB3C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FB3D0	1_2_050FB3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FD238	1_2_050FD238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FA26B	1_2_050FA26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FFA7F	1_2_050FFA7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FA270	1_2_050FA270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050FFA88	1_2_050FFA88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F2AE0	1_2_050F2AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F2AF0	1_2_050F2AF0

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: String function: 00550AE3 appears 70 times
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: String function: 00537DE1 appears 36 times
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: String function: 00558900 appears 42 times

Source: 8QeI7CboDY.exe, 00000000.00000003.1152146265.0000000003593000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 8QeI7CboDY.exe
Source: 8QeI7CboDY.exe, 00000000.00000003.1154822879.000000000373D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 8QeI7CboDY.exe
Source: 8QeI7CboDY.exe, 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs 8QeI7CboDY.exe

Source: 8QeI7CboDY.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.8QeI7CboDY.exe.a90000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.8QeI7CboDY.exe.a90000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: 8QeI7CboDY.exe PID: 7608, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_0059A06A GetLastError,FormatMessageW,

0_2_0059A06A

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005881CB AdjustTokenPrivileges,CloseHandle,		0_2_005881CB
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005887E1

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_0059B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0059B333

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005AEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_005AEE0D

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_0059C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0059C397

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00534E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00534E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

File created: C:\Users\user\AppData\Local\Temp\autB2E9.tmp

Jump to behavior

Source: 8QeI7CboDY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.2406091506.0000000002900000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2406091506.000000000290E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2406091506.00000000028F0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 8QeI7CboDY.exe	Virustotal: Detection: 41%
Source: 8QeI7CboDY.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\8QeI7CboDY.exe "C:\Users\user\Desktop\8QeI7CboDY.exe"
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8QeI7CboDY.exe"
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8QeI7CboDY.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 8QeI7CboDY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8QeI7CboDY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8QeI7CboDY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8QeI7CboDY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8QeI7CboDY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8QeI7CboDY.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 8QeI7CboDY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 8QeI7CboDY.exe, 00000000.00000003.1153610450.0000000003610000.00000004.00001000.00020000.00000000.sdmp, 8QeI7CboDY.exe, 00000000.00000003.1153873772.0000000003470000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 8QeI7CboDY.exe, 00000000.00000003.1153610450.0000000003610000.00000004.00001000.00020000.00000000.sdmp, 8QeI7CboDY.exe, 00000000.00000003.1153873772.0000000003470000.00000004.00001000.00020000.00000000.sdmp

Source: 8QeI7CboDY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8QeI7CboDY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8QeI7CboDY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8QeI7CboDY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8QeI7CboDY.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00534B37 LoadLibraryA,GetProcAddress,

0_2_00534B37

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0053C4C6 push A30053BAh; retn 0053h	0_2_0053C50D
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00558945 push ecx; ret	0_2_00558958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_025F3493 push ebx; ret	1_2_025F349A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F9521 push ecx; ret	1_2_050F9522
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F9577 push ecx; ret	1_2_050F957A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F9588 push ebx; ret	1_2_050F968A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F9698 push esp; ret	1_2_050F9972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F8848 push eax; ret	1_2_050F93C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F537B push ds; ret	1_2_050F5382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_050F93C3 push eax; ret	1_2_050F93CA

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_005348D7
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005B5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005B5376

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00553187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00553187

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

API/Special instruction interceptor: Address: DD2944

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 8QeI7CboDY.exe, 00000000.00000003.1146306392.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, 8QeI7CboDY.exe, 00000000.00000003.1146626198.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, 8QeI7CboDY.exe, 00000000.00000003.1145756457.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, 8QeI7CboDY.exe, 00000000.00000003.1143474161.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, 8QeI7CboDY.exe, 00000000.00000003.1146503508.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, 8QeI7CboDY.exe, 00000000.00000002.1157477040.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, 8QeI7CboDY.exe, 00000000.00000003.1143827533.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp, 8QeI7CboDY.exe, 00000000.00000003.1143529179.0000000000E0B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXEES

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102239

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

API coverage: 4.4 %

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0059445A
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059C6D1 FindFirstFileW,FindClose,	0_2_0059C6D1
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0059C75C
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0059EF95
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0059F0F2
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0059F3F3
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005937EF
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00593B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00593B12
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0059BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0059BCBC

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005349A0

Source: RegSvcs.exe, 00000001.00000002.2404781503.0000000000858000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

API call chain: ExitProcess graph end node

graph_0-100741

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_025FC168 LdrInitializeThunk,LdrInitializeThunk,

1_2_025FC168

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005A3F09 BlockInput,

0_2_005A3F09

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00533B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00533B3A

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00565A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00565A7C

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00534B37 LoadLibraryA,GetProcAddress,

0_2_00534B37

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00DD1560 mov eax, dword ptr fs:[00000030h]	0_2_00DD1560
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00DD2BB0 mov eax, dword ptr fs:[00000030h]	0_2_00DD2BB0
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_00DD2C10 mov eax, dword ptr fs:[00000030h]	0_2_00DD2C10

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_005880A9

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0055A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0055A155
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_0055A124 SetUnhandledExceptionFilter,		0_2_0055A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5B4008

Jump to behavior

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005887B1 LogonUserW,

0_2_005887B1

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00533B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00533B3A

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_005348D7

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00594C53 mouse_event,

0_2_00594C53

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8QeI7CboDY.exe"

Jump to behavior

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00587CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00587CAF

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_0058874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0058874B

Source: 8QeI7CboDY.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 8QeI7CboDY.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_0055862B cpuid

0_2_0055862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00564E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00564E87

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00571E06 GetUserNameW,

0_2_00571E06

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_00563F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00563F3A

Source: C:\Users\user\Desktop\8QeI7CboDY.exe

Code function: 0_2_005349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005349A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8QeI7CboDY.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8QeI7CboDY.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8QeI7CboDY.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 8QeI7CboDY.exe	Binary or memory string: WIN_81
Source: 8QeI7CboDY.exe	Binary or memory string: WIN_XP
Source: 8QeI7CboDY.exe	Binary or memory string: WIN_XPe
Source: 8QeI7CboDY.exe	Binary or memory string: WIN_VISTA
Source: 8QeI7CboDY.exe	Binary or memory string: WIN_7
Source: 8QeI7CboDY.exe	Binary or memory string: WIN_8
Source: 8QeI7CboDY.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2406091506.0000000002935000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8QeI7CboDY.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8QeI7CboDY.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8QeI7CboDY.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8QeI7CboDY.exe.a90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8QeI7CboDY.exe PID: 7608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR

Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005A6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_005A6283
Source: C:\Users\user\Desktop\8QeI7CboDY.exe	Code function: 0_2_005A6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_005A6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	12 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Access Token Manipulation	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	212 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8QeI7CboDY.exe	41%	Virustotal		Browse
8QeI7CboDY.exe	55%	ReversingLabs	Win32.Trojan.AutoitInject
8QeI7CboDY.exe	100%	Avira	TR/AD.SnakeStealer.igtop

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.80.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	8QeI7CboDY.exe, 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000001.00000002.2406091506.00000000028AD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000001.00000002.2406091506.00000000028AD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2406091506.000000000287E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000001.00000002.2406091506.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	8QeI7CboDY.exe, 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	8QeI7CboDY.exe, 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2406091506.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
104.21.80.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1636870
Start date and time:	2025-03-13 08:12:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8QeI7CboDY.exe renamed because original name is a hash value
Original Sample Name:	709a4ffec76d0c7715cb6a69a3610ede.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 53 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 172.202.163.200
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
158.101.44.242	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	#rfq=O250116 - #U304a#U3088#U3073#U8cfc#U5165#U5951#U7d04- Offer Z01G-00008D SUPPLY - H64PO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	niceworkingskillwithbestideasevermade.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	rDatosbancarios.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Variant.Lazy.487114.16188.14077.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	pbgjw8i8N7.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	bddTkmucZP.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	ctTrvHxBXO.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	gC0avSHWrd.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
104.21.80.1	MG710417.exe	Get hash	malicious	Azorult	Browse	gd53.cfd/TL341/index.php
	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/scc1/five/fre.php
	DHL AWB Receipt_pdf.bat.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	Marzec 2025-faktura.pdf.exe	Get hash	malicious	FormBook	Browse	www.oldpay.online/u023/?lneDc=2js00DxFGjY6gHlVOW1q9a10L3HzPIs7WpRmaT2A/LnakQk0VzYAjcxSKMUcEwKHsPPKaiHoQA==&NvExnX=FrapFFYPB
	z1companyProfileandproducts.exe	Get hash	malicious	FormBook	Browse	www.dd87558.vip/uoki/
	http://7a.ithuupvudv.ru	Get hash	malicious	Unknown	Browse	7a.ithuupvudv.ru/favicon.ico
	PRI_VTK250419A.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/scc1/five/fre.php
	dfiCWCanbj.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	laser (2).ps1	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	laser.ps1	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/k566/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	wecreatebestthingsentirelifeforgivenyou.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	Payment_Advise.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.247.73
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	193.122.6.168
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
reallyfreegeoip.org	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	wecreatebestthingsentirelifeforgivenyou.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.64.1
	Payment_Advise.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	104.21.16.1
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.48.1
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	https://ln.run/EYeFI#eWVjMDExNEBrb3JlYS5rcg==	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	SecuriteInfo.com.Win32.DropperX-gen.28100.31863.exe	Get hash	malicious	FormBook	Browse	172.67.222.160
	1.ps1	Get hash	malicious	RHADAMANTHYS	Browse	172.67.166.76
	http://dynamic-freesia-zv7h9k.mystrikingly.com/	Get hash	malicious	Unknown	Browse	104.17.24.14
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	104.21.64.1
	HitmanPro pre-patched.exe	Get hash	malicious	Unknown	Browse	172.64.155.119
	Launcher_v2.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	ModMenu.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
ORACLE-BMC-31898US	miori.x86.elf	Get hash	malicious	Unknown	Browse	132.145.140.102
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	Payment_Advise.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	QUOTATION_FEBQUOTE312025PDF.scr.exe	Get hash	malicious	MSIL Logger	Browse	193.122.6.168
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	MALZEME G_0017 TABANCA SPREY NOZUL.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	y79a2l1FY5.exe	Get hash	malicious	DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	wekissingbestgirleveryseenwithmygirl.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	mybestgirlfriendwalkingaroundtheworld.hta	Get hash	malicious	Cobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	wecreatebestthingsentirelifeforgivenyou.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	uhg.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	Yeni Sat#U0131nalma Sipari#U015fi.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	Payment_Advise.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	4500149631.vbe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	PENDING PAYMENT FOR March SOA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1

Process:	C:\Users\user\Desktop\8QeI7CboDY.exe
File Type:	data
Category:	dropped
Size (bytes):	65878
Entropy (8bit):	7.901093703451358
Encrypted:	false
SSDEEP:	1536:CPq33/z2Zj4vzb4ALS6HwWti/G2hWarFcILK0+scahbzrba5s0N:Diho3K4w/G2hWarFJcorba5sm
MD5:	9517266B0CD76CE547FC0DAEE79EE2AE
SHA1:	C5BB8A9DD4F3EAE8DF3FE0F11D63BED133829168
SHA-256:	8F1B4958F85E55308DB95868A7540F3A79BCA6D0DEF5A04A2726F5FE15C929CD
SHA-512:	65EB07F45602EEFEDD24BD5545AB92C732B8E0FF1199C424E7FDAC577F4C191F9DE8C6189445FC8EA2D7DB7526F2CBB350926A7CB7363DF9E6E966D661254D5F
Malicious:	false
Reputation:	low
Preview:	EA06..n..C.u..J.9.Q&...s7.RiS..^.U.......X..'3z@..h`... .X..?u......`g0..F/<.Q-...^M%.N,s...wV.Y.[...Y.H$..,b%u.Mg.{..kN..,f5}...J.k.<....5...'4..F.C.VjUY...4.ZM&....>. .B+9.Y.....oL.....k]..Rs5.....#..TY.....f...f`...,.....3.p./.5Y.V@B? .o./H....0..!`........a..P..Ur.W....>.E&.X..fRy...........b.XW.......9..r...iA.......4..!..H...x.M.@...Ww9.n. .."qD..st:.3.U.......q..R..../..Z.J...o.a;.e....R.T..&..Y.0....,!............ .A..!.@..J.XJ.....a..,$............B.4.Ro....j.Pk...6Sy.Uf{.,.aG.....uA..d...b..N(.....9..)....Id......Byn.L(..x.QQ..j.........3..z-C.Da.M.qk..j..}z.U.D..I.....X..^.S..+..6b..p....Rui.Pj....YF..(.....G..)4...c..U...s..R..:..9H..(.j...h.\.....m..P...J.Z~..E.1R.....t.{Z.X)r\...K..l....s8.M#. .....O....._.Y...4...Xm...^.&..y.....4.Z......`.Po...X.F@..p..a.N(5....Z.U....i6..-szE>.....7.5J...Q&...ZuJ..iS..Ny.......u?.L(u..N.I.G.w.H.QX......./D..c..0......i....B.....B{...C%..'sZ\.=8...r....(....*...7.Sl.j.s....7\|...X.d.n....M...2O..[.!.

C:\Users\user\AppData\Local\Temp\forniciform

Download File

Process:	C:\Users\user\Desktop\8QeI7CboDY.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.881980419687085
Encrypted:	false
SSDEEP:	1536:5+91hLu+SIDKEwqJ4IZ177Cb0rJ0RxzeJ8KYeajUEEza+83plc/H8rGkN+EVg:c9fu+HC+/80V0eJ8KaE2Xplc/crtbg
MD5:	CD82C1C0D5425B9C8BADBF500C4A98F2
SHA1:	174B0EB76618D70A8D303EFBD88907C20002CA5D
SHA-256:	FE2E2F6D8C413DDA6E94D474E6D22D84FF423607C1825ABF0F75777893B27B25
SHA-512:	82261A0632FD9E7CFB1E8DAADB8FFBA7623D11AB1BF05264727F966C1F5D0FCF7F3626716B5D4E6F9D5DA1FC7C1032FE2629A4EF0833D5F3455ABD62852AE0C1
Malicious:	false
Reputation:	low
Preview:	...Z[RU9<D40..97.IJ8AWAU.ZXRU98D40CT97HIJ8AWAUCZXRU98D40CT97.IJ8OH.[C.Q.t.9....<PDh98W&% 8c99<;VLdVUc&LYh $....u.5<7{45N.0CT97HI.}AW.T@Z.<..8D40CT97.IH9JV.UC>YRU18D40CT..IIJ.AWA.BZXR.98d40CV97LIJ8AWAUEZXRU98D4.BT95HIJ8AWCU#.XRE98T40CT)7HYJ8AWAUSZXRU98D40CTi.II.8AWA.BZ.WU98D40CT97HIJ8AWAUC.YRY98D40CT97HIJ8AWAUCZXRU98D40CT97HIJ8AWAUCZXRU98D40CT9.HIB8AWAUCZXRU90d40.T97HIJ8AWAUm.=!98D.RBT9.HIJ\@WAWCZXRU98D40CT97hIJXo%2' ZXR.<8D4.BT91HIJ^@WAUCZXRU98D40.T9wf;/T.4AUOZXRU.9D42CT9[IIJ8AWAUCZXRU9xD4rCT97HIJ8AWAUCZXR.9D40CTq7HIH8DW=.CZ..U9;D40.T91..J8.WAUCZXRU98D40CT97HIJ8AWAUCZXRU98D40CT97HIJ8..Z..;&..D40CT96JJN>I_AUCZXRU9FD40.T97.IJ8vWAUfZXR898D.0CTG7HI48AW%UCZ*RU9YD40.T97'IJ8/WAU=ZXRK;.[40I~.7Jaj8A]A..)yRU3.E40G'.7HC.:AWE&`ZXX.:8D0CgT9=.MJ8E$dUCP.WU9<nn0@./1HIQWyWA_CY.GS98_..CV..HI@8kqAV.O^RU".f42.]97Lc.K\WASk.XR_M1D42.^97LcT:i.AUIpz,F98@.0ivG#HIN.A}c+VZXV~9.fJ&CT=.HchFVWAQhZrT.[86.<C$:X)IJ>i.AUIr.RU?8n.0=Z97LK%.AWKsi`Xz.98B4..T91Hc.8?dAUGv_,f98@.&=e97L.L@AWG&.ZXXp..D44k.97BI`.A..UC\Xz.98B

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.851122327803846
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8QeI7CboDY.exe
File size:	967'680 bytes
MD5:	709a4ffec76d0c7715cb6a69a3610ede
SHA1:	172283b9521e8530d1d35d6ebd3e58b448949a4c
SHA256:	b46c0a570d881198169c6cc53bb5e525e294fbc86e527e214926a9fc44e96981
SHA512:	d5a904612d43160a1639deab33dba60125faedf50917cfa1b37784c4aad05dcac07f1fb8c14587956f822b8dd263f34905b196a885064c617975200ca6595be0
SSDEEP:	24576:ou6J33O0c+JY5UZ+XC0kGso6FaiJu9OAuWY:Cu0c++OCvkGs9FaiVoY
TLSH:	CA25AE2273DDC360CB669173BF2AB7016EBF7C614630B95B2F880D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D181FE [Wed Mar 12 12:45:50 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F41CCD7B46Ah
jmp 00007F41CCD6E234h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F41CCD6E3BAh
cmp edi, eax
jc 00007F41CCD6E71Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F41CCD6E3B9h
rep movsb
jmp 00007F41CCD6E6CCh
cmp ecx, 00000080h
jc 00007F41CCD6E584h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F41CCD6E3C0h
bt dword ptr [004BE324h], 01h
jc 00007F41CCD6E890h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F41CCD6E55Dh
test edi, 00000003h
jne 00007F41CCD6E56Eh
test esi, 00000003h
jne 00007F41CCD6E54Dh
bt edi, 02h
jnc 00007F41CCD6E3BFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F41CCD6E3C3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F41CCD6E415h
bt esi, 03h
jnc 00007F41CCD6E468h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x23bcc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x23bcc	0x23c00	86b77e8abf91aaaca48bb17507eb415c	False	0.8166111232517482	data	7.585505324397183	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1ae91	data			1.0003719664322976
RT_GROUP_ICON	0xea64c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xea6c4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xea6d8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xea6ec	0x14	data	English	Great Britain	1.25
RT_VERSION	0xea700	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xea7dc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T08:13:47.466752+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49711	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 08:13:46.658061028 CET	49711	80	192.168.2.4	158.101.44.242
Mar 13, 2025 08:13:46.662919044 CET	80	49711	158.101.44.242	192.168.2.4
Mar 13, 2025 08:13:46.663031101 CET	49711	80	192.168.2.4	158.101.44.242
Mar 13, 2025 08:13:46.663234949 CET	49711	80	192.168.2.4	158.101.44.242
Mar 13, 2025 08:13:46.667928934 CET	80	49711	158.101.44.242	192.168.2.4
Mar 13, 2025 08:13:47.259624958 CET	80	49711	158.101.44.242	192.168.2.4
Mar 13, 2025 08:13:47.263283968 CET	49711	80	192.168.2.4	158.101.44.242
Mar 13, 2025 08:13:47.268125057 CET	80	49711	158.101.44.242	192.168.2.4
Mar 13, 2025 08:13:47.426448107 CET	80	49711	158.101.44.242	192.168.2.4
Mar 13, 2025 08:13:47.435889006 CET	49712	443	192.168.2.4	104.21.80.1
Mar 13, 2025 08:13:47.435952902 CET	443	49712	104.21.80.1	192.168.2.4
Mar 13, 2025 08:13:47.436027050 CET	49712	443	192.168.2.4	104.21.80.1
Mar 13, 2025 08:13:47.466752052 CET	49711	80	192.168.2.4	158.101.44.242
Mar 13, 2025 08:13:47.517657995 CET	49712	443	192.168.2.4	104.21.80.1
Mar 13, 2025 08:13:47.517699957 CET	443	49712	104.21.80.1	192.168.2.4
Mar 13, 2025 08:13:49.325187922 CET	443	49712	104.21.80.1	192.168.2.4
Mar 13, 2025 08:13:49.325459003 CET	49712	443	192.168.2.4	104.21.80.1
Mar 13, 2025 08:13:49.357853889 CET	49712	443	192.168.2.4	104.21.80.1
Mar 13, 2025 08:13:49.357882977 CET	443	49712	104.21.80.1	192.168.2.4
Mar 13, 2025 08:13:49.358347893 CET	443	49712	104.21.80.1	192.168.2.4
Mar 13, 2025 08:13:49.404299974 CET	49712	443	192.168.2.4	104.21.80.1
Mar 13, 2025 08:13:49.474982023 CET	49712	443	192.168.2.4	104.21.80.1
Mar 13, 2025 08:13:49.520325899 CET	443	49712	104.21.80.1	192.168.2.4
Mar 13, 2025 08:13:50.193005085 CET	443	49712	104.21.80.1	192.168.2.4
Mar 13, 2025 08:13:50.193084955 CET	443	49712	104.21.80.1	192.168.2.4
Mar 13, 2025 08:13:50.193123102 CET	49712	443	192.168.2.4	104.21.80.1
Mar 13, 2025 08:13:50.221138000 CET	49712	443	192.168.2.4	104.21.80.1
Mar 13, 2025 08:14:52.425740004 CET	80	49711	158.101.44.242	192.168.2.4
Mar 13, 2025 08:14:52.425971031 CET	49711	80	192.168.2.4	158.101.44.242
Mar 13, 2025 08:15:27.485903978 CET	49711	80	192.168.2.4	158.101.44.242
Mar 13, 2025 08:15:27.490653038 CET	80	49711	158.101.44.242	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 08:13:46.640188932 CET	54709	53	192.168.2.4	1.1.1.1
Mar 13, 2025 08:13:46.647530079 CET	53	54709	1.1.1.1	192.168.2.4
Mar 13, 2025 08:13:47.427885056 CET	58406	53	192.168.2.4	1.1.1.1
Mar 13, 2025 08:13:47.435241938 CET	53	58406	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 08:13:46.640188932 CET	192.168.2.4	1.1.1.1	0x1d7b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:47.427885056 CET	192.168.2.4	1.1.1.1	0xfe14	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 08:13:46.647530079 CET	1.1.1.1	192.168.2.4	0x1d7b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 13, 2025 08:13:46.647530079 CET	1.1.1.1	192.168.2.4	0x1d7b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:46.647530079 CET	1.1.1.1	192.168.2.4	0x1d7b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:46.647530079 CET	1.1.1.1	192.168.2.4	0x1d7b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:46.647530079 CET	1.1.1.1	192.168.2.4	0x1d7b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:46.647530079 CET	1.1.1.1	192.168.2.4	0x1d7b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:47.435241938 CET	1.1.1.1	192.168.2.4	0xfe14	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:47.435241938 CET	1.1.1.1	192.168.2.4	0xfe14	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:47.435241938 CET	1.1.1.1	192.168.2.4	0xfe14	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:47.435241938 CET	1.1.1.1	192.168.2.4	0xfe14	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:47.435241938 CET	1.1.1.1	192.168.2.4	0xfe14	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:47.435241938 CET	1.1.1.1	192.168.2.4	0xfe14	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 08:13:47.435241938 CET	1.1.1.1	192.168.2.4	0xfe14	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49711	158.101.44.242	80	7624	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 08:13:46.663234949 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 13, 2025 08:13:47.259624958 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 07:13:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 983f3303cd0b1e7f08cc1b079bb68c3c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 13, 2025 08:13:47.263283968 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 13, 2025 08:13:47.426448107 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 07:13:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: af7b864c7467c1089f1052f35fd61703 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49712	104.21.80.1	443	7624	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 07:13:49 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-13 07:13:50 UTC	844	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 07:13:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 cf-cache-status: MISS last-modified: Thu, 13 Mar 2025 07:13:49 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c075shCgaVv3QLYjgKmjiECaLb8xtb5VCOE5jDs33B%2BeOiRb0c0nJl8yCG5nkGqm5nobV6McgyX2kUpnHf73nVxU4aE0r2h7TnCiNbf3OJlYck2%2Fs%2F7WfMrqHkyNDYkHHBO4JKCf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91f9bb1d5b010ded-MEM alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18498&min_rtt=17688&rtt_var=6379&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=136946&cwnd=251&unsent_bytes=0&cid=e5f50d3aff0efb60&ts=993&x=0"
2025-03-13 07:13:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	03:13:43
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\8QeI7CboDY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8QeI7CboDY.exe"
Imagebase:	0x530000
File size:	967'680 bytes
MD5 hash:	709A4FFEC76D0C7715CB6A69A3610EDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1157358007.0000000000A90000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:13:44
Start date:	13/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8QeI7CboDY.exe"
Imagebase:	0x230000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2404391140.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2406091506.0000000002935000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8QeI7CboDY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autB2E9.tmp

C:\Users\user\AppData\Local\Temp\forniciform

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Windows Analysis Report
8QeI7CboDY.exe