Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1637440
MD5:	ab5663a35b01e88deedb0739a3266f2f
SHA1:	9ab0ff2ed6a6441caccb18fd1429a33b14f79541
SHA256:	f9fdb051571ebd3003ed9a8605cc48af2e79a3383e48486b69b0becbb3436b57
Tags:	NETexeMSILuser-jstrosch
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AB5663A35B01E88DEEDB0739A3266F2F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat id": "6163418482"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat_id": "6163418482", "Version": "4.4"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
file.exe	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
file.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
file.exe	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2da9a:$a1: get_encryptedPassword 0x2ddc3:$a2: get_encryptedUsername 0x2d8aa:$a3: get_timePasswordChanged 0x2d9b3:$a4: get_passwordField 0x2dab0:$a5: set_encryptedPassword 0x2f192:$a7: get_logins 0x2f0f5:$a10: KeyLoggerEventArgs 0x2ed5a:$a11: KeyLoggerEventArgsEventHandler
file.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b841:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3aee4:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b141:$a4: \Orbitum\User Data\Default\Login Data 0x3bb20:$a5: \Kometa\User Data\Default\Login Data
file.exe	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e6ea:$s1: UnHook 0x2e6f1:$s2: SetHook 0x2e6f9:$s3: CallNextHook 0x2e706:$s4: _hook
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d89a:$a1: get_encryptedPassword 0x2dbc3:$a2: get_encryptedUsername 0x2d6aa:$a3: get_timePasswordChanged 0x2d7b3:$a4: get_passwordField 0x2d8b0:$a5: set_encryptedPassword 0x2ef92:$a7: get_logins 0x2eef5:$a10: KeyLoggerEventArgs 0x2eb5a:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.3656440328.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: file.exe PID: 6284	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 6284	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: file.exe PID: 6284	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: file.exe PID: 6284	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4bd16:$a1: get_encryptedPassword 0x4c035:$a2: get_encryptedUsername 0x4bb30:$a3: get_timePasswordChanged 0x4bc39:$a4: get_passwordField 0x4bd2c:$a5: set_encryptedPassword 0x4e212:$a7: get_logins 0x4e175:$a10: KeyLoggerEventArgs 0x4ddde:$a11: KeyLoggerEventArgsEventHandler
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.file.exe.8a0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.file.exe.8a0000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.0.file.exe.8a0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.0.file.exe.8a0000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2da9a:$a1: get_encryptedPassword 0x2ddc3:$a2: get_encryptedUsername 0x2d8aa:$a3: get_timePasswordChanged 0x2d9b3:$a4: get_passwordField 0x2dab0:$a5: set_encryptedPassword 0x2f192:$a7: get_logins 0x2f0f5:$a10: KeyLoggerEventArgs 0x2ed5a:$a11: KeyLoggerEventArgsEventHandler
0.0.file.exe.8a0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3b841:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3aee4:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b141:$a4: \Orbitum\User Data\Default\Login Data 0x3bb20:$a5: \Kometa\User Data\Default\Login Data
0.0.file.exe.8a0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2e6ea:$s1: UnHook 0x2e6f1:$s2: SetHook 0x2e6f9:$s3: CallNextHook 0x2e706:$s4: _hook
Click to see the 1 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T16:24:47.439704+0100	2803305	3	Unknown Traffic	192.168.2.11	49710	104.21.32.1	443	TCP
2025-03-13T16:24:55.698243+0100	2803305	3	Unknown Traffic	192.168.2.11	49714	104.21.32.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T16:24:43.453716+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49706	158.101.44.242	80	TCP
2025-03-13T16:24:45.469395+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49706	158.101.44.242	80	TCP
2025-03-13T16:24:48.094350+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49712	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: file.exe	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat id": "6163418482"}
Source: 00000000.00000002.3656440328.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o", "Chat_id": "6163418482", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 75%			Perma Link
Source: file.exe	ReversingLabs: Detection: 81%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: file.exe	String decryptor: 7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o
Source: file.exe	String decryptor: 6163418482
Source: file.exe	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.11:49707 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.11:49736 version: TLS 1.0

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E43488h	0_2_00E43070
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E42D49h	0_2_00E42A98
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E4D1E9h	0_2_00E4CF40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E4E7A1h	0_2_00E4E4F8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E4E349h	0_2_00E4E0A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E43488h	0_2_00E4306D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	0_2_00E40040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E4DEF1h	0_2_00E4DC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	0_2_00E40853
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E4F051h	0_2_00E4EDA8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E4EBF9h	0_2_00E4E950
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E4FD59h	0_2_00E4FAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	0_2_00E40673
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E4F901h	0_2_00E4F658
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E4F4A9h	0_2_00E4F200
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E4DA99h	0_2_00E4D7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E43488h	0_2_00E433B6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E4D641h	0_2_00E4D398
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E40D0Dh	0_2_00E40B30
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00E416F8h	0_2_00E40B30
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01117EB5h	0_2_01117B78
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01119280h	0_2_01118FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 011125A9h	0_2_01112300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111BBD8h	0_2_0111B908
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111DC00h	0_2_0111D930
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 011179C9h	0_2_01117720
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 011155D1h	0_2_01115328
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01112A01h	0_2_01112758
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111FC00h	0_2_0111F958
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111AE10h	0_2_0111AB40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01110FF1h	0_2_01110D48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111A048h	0_2_01119D78
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111CE38h	0_2_0111CB68
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111EE60h	0_2_0111EB90
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01115A29h	0_2_01115780
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01112E59h	0_2_01112BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01111449h	0_2_011111A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111C070h	0_2_0111BDA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01115E81h	0_2_01115BD8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111B2A8h	0_2_0111AFD8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111E098h	0_2_0111DDC8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 011118A1h	0_2_011115F8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111A4E0h	0_2_0111A210
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01116CC1h	0_2_01116A18
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111D2D0h	0_2_0111D000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 011132B1h	0_2_01113008
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 011162D9h	0_2_01116030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111C508h	0_2_0111C238
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 011148C9h	0_2_01114620
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111F2F8h	0_2_0111F028
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01111CF9h	0_2_01111A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 011102E9h	0_2_01110040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01119718h	0_2_01119448
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111B740h	0_2_0111B470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01117119h	0_2_01116E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01114D21h	0_2_01114A78
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01113709h	0_2_01113460
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111E530h	0_2_0111E260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01110741h	0_2_01110498
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111D768h	0_2_0111D498
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01116733h	0_2_01116488
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01112151h	0_2_01111EA8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111A978h	0_2_0111A6A8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111C9A0h	0_2_0111C6D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01115179h	0_2_01114ED0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111F790h	0_2_0111F4C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01117571h	0_2_011172C8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01110B99h	0_2_011108F0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0111E9C8h	0_2_0111E6F8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 01119BB0h	0_2_011198E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0126F2D5h	0_2_0126F138
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0126F2D5h	0_2_0126F324
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 0126FA91h	0_2_0126F7EC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	0_2_051F2A80

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49712 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49706 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49714 -> 104.21.32.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49710 -> 104.21.32.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.11:49707 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.11:49736 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: file.exe	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: file.exe	String found in binary or memory: http://aborters.duckdns.org:8081
Source: file.exe	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: file.exe, 00000000.00000002.3658650134.00000000064A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: file.exe, 00000000.00000002.3658650134.00000000064A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: file.exe, 00000000.00000002.3655643692.0000000001042000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3656440328.0000000002E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/K0UVAKe5N94.crl0
Source: file.exe, 00000000.00000002.3656440328.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: file.exe, 00000000.00000002.3656440328.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: file.exe	String found in binary or memory: http://checkip.dyndns.org/q
Source: file.exe, 00000000.00000002.3658650134.00000000064A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: file.exe, 00000000.00000002.3658650134.00000000064A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: file.exe, 00000000.00000002.3655643692.0000000001042000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3656440328.0000000002E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt05
Source: file.exe, 00000000.00000002.3655643692.0000000001042000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3656440328.0000000002E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/8CI0%
Source: file.exe, 00000000.00000002.3656440328.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe	String found in binary or memory: http://varders.kozow.com:8081
Source: file.exe, 00000000.00000002.3657563455.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: file.exe, 00000000.00000002.3656440328.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: file.exe	String found in binary or memory: https://api.telegram.org/bot
Source: file.exe, 00000000.00000002.3656440328.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: file.exe, 00000000.00000002.3656440328.0000000002E28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20a
Source: file.exe, 00000000.00000002.3657563455.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.3657563455.0000000004037000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3657563455.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.3657563455.0000000004037000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3657563455.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.3656440328.0000000002EA2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3656440328.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: file.exe, 00000000.00000002.3656440328.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: file.exe, 00000000.00000002.3656440328.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: file.exe, 00000000.00000002.3657563455.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.3657563455.0000000004037000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3657563455.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: file.exe, 00000000.00000002.3657563455.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.3657563455.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: file.exe, 00000000.00000002.3656440328.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: file.exe	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: file.exe, 00000000.00000002.3656440328.0000000002E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: file.exe, 00000000.00000002.3656440328.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3656440328.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3656440328.0000000002E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: file.exe, 00000000.00000002.3656440328.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3656440328.0000000002E1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.1894
Source: file.exe, 00000000.00000002.3657563455.0000000004037000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3657563455.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: file.exe, 00000000.00000002.3657563455.0000000004037000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3657563455.0000000003DE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: file.exe, 00000000.00000002.3656440328.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: file.exe, 00000000.00000002.3656440328.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/4
Source: file.exe, 00000000.00000002.3656440328.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary

Malicious sample detected (through community Yara rule)

Source: file.exe, type: SAMPLE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: file.exe, type: SAMPLE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: file.exe, type: SAMPLE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.file.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.0.file.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.file.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: file.exe PID: 6284, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E41C58	0_2_00E41C58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E495C8	0_2_00E495C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E452C8	0_2_00E452C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E49EB8	0_2_00E49EB8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E42A98	0_2_00E42A98
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E423B0	0_2_00E423B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4CF40	0_2_00E4CF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4E4F8	0_2_00E4E4F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4E0A0	0_2_00E4E0A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E40040	0_2_00E40040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4DC48	0_2_00E4DC48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E41C49	0_2_00E41C49
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E40021	0_2_00E40021
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4EDA8	0_2_00E4EDA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4E940	0_2_00E4E940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4E950	0_2_00E4E950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E452C4	0_2_00E452C4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4FAB0	0_2_00E4FAB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E48E40	0_2_00E48E40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4F658	0_2_00E4F658
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E48E31	0_2_00E48E31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4F200	0_2_00E4F200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E497E8	0_2_00E497E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4D7F0	0_2_00E4D7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E423A9	0_2_00E423A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4D389	0_2_00E4D389
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4D398	0_2_00E4D398
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E40B20	0_2_00E40B20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E40B30	0_2_00E40B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01117B78	0_2_01117B78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01118FB0	0_2_01118FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011181D0	0_2_011181D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01112300	0_2_01112300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111B908	0_2_0111B908
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111D930	0_2_0111D930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111AB30	0_2_0111AB30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01117720	0_2_01117720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111D920	0_2_0111D920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01117722	0_2_01117722
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01115328	0_2_01115328
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01112756	0_2_01112756
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01112758	0_2_01112758
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111F958	0_2_0111F958
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111CB5D	0_2_0111CB5D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111AB40	0_2_0111AB40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111F949	0_2_0111F949
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01110D48	0_2_01110D48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01115770	0_2_01115770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01117B76	0_2_01117B76
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01119D78	0_2_01119D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111CB68	0_2_0111CB68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01119D68	0_2_01119D68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111EB90	0_2_0111EB90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111BD90	0_2_0111BD90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01111197	0_2_01111197
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01115780	0_2_01115780
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111EB80	0_2_0111EB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01112BB0	0_2_01112BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111DDB9	0_2_0111DDB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01118FA1	0_2_01118FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011111A0	0_2_011111A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111BDA0	0_2_0111BDA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01112BAE	0_2_01112BAE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01115BD8	0_2_01115BD8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111AFD8	0_2_0111AFD8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111AFC9	0_2_0111AFC9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111DDC8	0_2_0111DDC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111CFF1	0_2_0111CFF1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011115F8	0_2_011115F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111A210	0_2_0111A210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111F019	0_2_0111F019
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01116A18	0_2_01116A18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111D000	0_2_0111D000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111A204	0_2_0111A204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01116A07	0_2_01116A07
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01113008	0_2_01113008
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01116030	0_2_01116030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111C238	0_2_0111C238
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01119438	0_2_01119438
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01116021	0_2_01116021
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01114620	0_2_01114620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111F028	0_2_0111F028
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111C22C	0_2_0111C22C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111E251	0_2_0111E251
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01111A50	0_2_01111A50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01110040	0_2_01110040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01119448	0_2_01119448
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111B470	0_2_0111B470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01116E70	0_2_01116E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01114A78	0_2_01114A78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01113460	0_2_01113460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111E260	0_2_0111E260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111B460	0_2_0111B460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111A699	0_2_0111A699
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01110498	0_2_01110498
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111D498	0_2_0111D498
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01116488	0_2_01116488
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111D488	0_2_0111D488
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111F4B0	0_2_0111F4B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011172B8	0_2_011172B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011138B8	0_2_011138B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01111EA8	0_2_01111EA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111A6A8	0_2_0111A6A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111C6D0	0_2_0111C6D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01114ED0	0_2_01114ED0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011198D0	0_2_011198D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111C6C1	0_2_0111C6C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111F4C0	0_2_0111F4C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011172C8	0_2_011172C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011108F0	0_2_011108F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111E6F8	0_2_0111E6F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111B8F8	0_2_0111B8F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011198E0	0_2_011198E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0111E6E9	0_2_0111E6E9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126C146	0_2_0126C146
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126A088	0_2_0126A088
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01265370	0_2_01265370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126D2CA	0_2_0126D2CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126D599	0_2_0126D599
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126C46A	0_2_0126C46A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126C738	0_2_0126C738
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012669A0	0_2_012669A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126EAA8	0_2_0126EAA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126CD28	0_2_0126CD28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126CFF7	0_2_0126CFF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01266FC8	0_2_01266FC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01263E09	0_2_01263E09
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126F7EC	0_2_0126F7EC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012629E0	0_2_012629E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126EA9A	0_2_0126EA9A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01263A99	0_2_01263A99
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126FC31	0_2_0126FC31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F0750	0_2_051F0750
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F0760	0_2_051F0760
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F0006	0_2_051F0006
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F0040	0_2_051F0040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F2300	0_2_051F2300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F22F1	0_2_051F22F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F0E39	0_2_051F0E39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F0E48	0_2_051F0E48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F1530	0_2_051F1530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F1520	0_2_051F1520
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F1C18	0_2_051F1C18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_051F1C08	0_2_051F1C08

Source: file.exe, 00000000.00000002.3654769218.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
Source: file.exe, 00000000.00000002.3655643692.000000000100E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameRemington.exe4 vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe, type: SAMPLE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: file.exe, type: SAMPLE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: file.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.file.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.0.file.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.file.exe.8a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 6284, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: file.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, B.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: file.exe, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: file.exe, --.cs

Base64 encoded string: 'QMP5+Zav3OUq9OOcYs5CdQwVhfNast3/xEa0tVdiWYy4PoureKQ0hNBDRbWFjees'

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@3/3

Source: C:\Users\user\Desktop\file.exe

Mutant created: NULL

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.3656440328.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3656440328.0000000002F8D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3656440328.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3656440328.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.3656440328.0000000002F7E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	Virustotal: Detection: 75%
Source: file.exe	ReversingLabs: Detection: 81%

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598769	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594559	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594408	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594267	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 593904	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 593790	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 593563	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 593438	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 3351			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 6469			Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5404	Thread sleep count: 3351 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5404	Thread sleep count: 6469 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -599563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -598769s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -598438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -598110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -597985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -597860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -595109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -594703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -594559s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -594408s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -594267s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -594016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -593904s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -593790s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -593688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -593563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5428	Thread sleep time: -593438s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598769	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598110	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 595109	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594559	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594408	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594267	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 593904	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 593790	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 593563	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 593438	Jump to behavior

Source: file.exe, 00000000.00000002.3655643692.0000000001042000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E495C8 LdrInitializeThunk,

0_2_00E495C8

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match

File source: 00000000.00000002.3656440328.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6284, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6284, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6284, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match

File source: 00000000.00000002.3656440328.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6284, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.0.file.exe.8a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1193206006.00000000008A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6284, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
file.exe