Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1637452
MD5:855bb87420f8dbe945a1ffa4abbb23f9
SHA1:8115793b368fc257780e8ae00bc3ad568adfbd60
SHA256:ada32ec7d1868b4e082ae007138811e58e8b44dc748a847d8e055adf4cae25a9
Tags:exeMassLoggeruser-jstrosch
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 8032 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 855BB87420F8DBE945A1FFA4ABBB23F9)
    • RegSvcs.exe (PID: 8052 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefdf:$a1: get_encryptedPassword
          • 0xf307:$a2: get_encryptedUsername
          • 0xed7a:$a3: get_timePasswordChanged
          • 0xee9b:$a4: get_passwordField
          • 0xeff5:$a5: set_encryptedPassword
          • 0x10951:$a7: get_logins
          • 0x10602:$a8: GetOutlookPasswords
          • 0x103f4:$a9: StartKeylogger
          • 0x108a1:$a10: KeyLoggerEventArgs
          • 0x10451:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.file.exe.1560000.1.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.file.exe.1560000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.file.exe.1560000.1.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                0.2.file.exe.1560000.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0.2.file.exe.1560000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xd3df:$a1: get_encryptedPassword
                  • 0xd707:$a2: get_encryptedUsername
                  • 0xd17a:$a3: get_timePasswordChanged
                  • 0xd29b:$a4: get_passwordField
                  • 0xd3f5:$a5: set_encryptedPassword
                  • 0xed51:$a7: get_logins
                  • 0xea02:$a8: GetOutlookPasswords
                  • 0xe7f4:$a9: StartKeylogger
                  • 0xeca1:$a10: KeyLoggerEventArgs
                  • 0xe851:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 13 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-13T16:39:39.340735+010028032742Potentially Bad Traffic192.168.2.449714193.122.130.080TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Found malware configuration
                  Source: 00000001.00000002.2694268635.0000000002D01000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}
                  Multi AV Scanner detection for submitted file
                  Source: file.exeVirustotal: Detection: 42%Perma Link
                  Source: file.exeReversingLabs: Detection: 63%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49715 version: TLS 1.0
                  Source: Binary string: wntdll.pdbUGP source: file.exe, 00000000.00000003.1453292287.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1454287998.0000000003E10000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: file.exe, 00000000.00000003.1453292287.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1454287998.0000000003E10000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_002C445A
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CC6D1 FindFirstFileW,FindClose,0_2_002CC6D1
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002CC75C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002CEF95
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002CF0F2
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002CF3F3
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002C37EF
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002C3B12
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002CBCBC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 011D5782h1_2_011D5358
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 011D51B9h1_2_011D4F08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 011D5782h1_2_011D56AF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05311935h1_2_053115F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531C7D8h1_2_0531C530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05310FF1h1_2_05310D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531F028h1_2_0531ED80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531D088h1_2_0531CDE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531DEC8h1_2_0531DC20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05313EF8h1_2_05313C50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05310741h1_2_05310498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531BF28h1_2_0531BC80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531E778h1_2_0531E4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531B220h1_2_0531AF78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 053131F0h1_2_05312F48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05313AA0h1_2_053137F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531F8D8h1_2_0531F630
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531A0C0h1_2_05319E18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531D93Ah1_2_0531D690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531A970h1_2_0531A6C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531EBD0h1_2_0531E928
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05311449h1_2_053111A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531CC30h1_2_0531C988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531F480h1_2_0531F1D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531BAD0h1_2_0531B828
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531E320h1_2_0531E078
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 053102E9h1_2_05310040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05314350h1_2_053140A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05310B99h1_2_053108F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531C380h1_2_0531C0D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531ADC8h1_2_0531AB20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05313648h1_2_053133A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531B678h1_2_0531B3D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531D4E0h1_2_0531D238
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531A518h1_2_0531A270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0531FD30h1_2_0531FA88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05312D98h1_2_05312AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058E0740h1_2_058E0498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058E02E8h1_2_058E0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov esp, ebp1_2_058E4DCB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov esp, ebp1_2_058E4E7C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_058E0B20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058E17FDh1_2_058E1620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 058E2187h1_2_058E1620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_058E1163
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_058E1343
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                  Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                  Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49714 -> 193.122.130.0:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49715 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_002D22EE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: file.exe, 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D9D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: file.exe, 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: file.exe, 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.file.exe.1560000.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_002D4164
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_002D4164
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_002D3F66
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_002C001C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002ECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_002ECABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.file.exe.1560000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.file.exe.1560000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.file.exe.1560000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.file.exe.1560000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: Process Memory Space: file.exe PID: 8032, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\file.exeCode function: This is a third-party compiled AutoIt script.0_2_00263B3A
                  Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: file.exe, 00000000.00000000.1442321604.0000000000314000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b4c870d4-1
                  Source: file.exe, 00000000.00000000.1442321604.0000000000314000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7df6d954-e
                  Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d714c038-5
                  Source: file.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_4a612ced-7
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_002CA1EF
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_002B8310
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_002C51BD
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0028D9750_2_0028D975
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002821C50_2_002821C5
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002962D20_2_002962D2
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E03DA0_2_002E03DA
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0029242E0_2_0029242E
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002825FA0_2_002825FA
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002BE6160_2_002BE616
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026E6A00_2_0026E6A0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002766E10_2_002766E1
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0029878F0_2_0029878F
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002788080_2_00278808
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002968440_2_00296844
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E08570_2_002E0857
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C88890_2_002C8889
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0028CB210_2_0028CB21
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00296DB60_2_00296DB6
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00276F9E0_2_00276F9E
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002730300_2_00273030
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002831870_2_00283187
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0028F1D90_2_0028F1D9
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002612870_2_00261287
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002814840_2_00281484
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002755200_2_00275520
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002876960_2_00287696
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002757600_2_00275760
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002819780_2_00281978
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026FCE00_2_0026FCE0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0028BDA60_2_0028BDA6
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00281D900_2_00281D90
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E7DDB0_2_002E7DDB
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026DF000_2_0026DF00
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00273FE00_2_00273FE0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_015F2C880_2_015F2C88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_011DC1681_2_011DC168
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_011DCA581_2_011DCA58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_011D4F081_2_011D4F08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_011D7E681_2_011D7E68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_011DB9E01_2_011DB9E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_011D2DD11_2_011D2DD1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_011D7E591_2_011D7E59
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_011D4EF81_2_011D4EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053145001_2_05314500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053115F81_2_053115F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05311C581_2_05311C58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053177701_2_05317770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053169981_2_05316998
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531C5301_2_0531C530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05310D3A1_2_05310D3A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531C5201_2_0531C520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531ED701_2_0531ED70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05310D481_2_05310D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531ED801_2_0531ED80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531CDE01_2_0531CDE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053115EA1_2_053115EA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531CDD01_2_0531CDD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531DC201_2_0531DC20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531DC121_2_0531DC12
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531BC711_2_0531BC71
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05313C501_2_05313C50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05313C421_2_05313C42
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05311C4A1_2_05311C4A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05319C901_2_05319C90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053104981_2_05310498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531BC801_2_0531BC80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531048A1_2_0531048A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531E4D01_2_0531E4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531E4C01_2_0531E4C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05312F381_2_05312F38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531AF781_2_0531AF78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531AF681_2_0531AF68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05312F481_2_05312F48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053137F81_2_053137F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053137E81_2_053137E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531F6301_2_0531F630
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531F6201_2_0531F620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05319E181_2_05319E18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531A6B91_2_0531A6B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531D6901_2_0531D690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531D6821_2_0531D682
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531A6C81_2_0531A6C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531E9281_2_0531E928
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531E91E1_2_0531E91E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531C97A1_2_0531C97A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053111A01_2_053111A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531C9881_2_0531C988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531118F1_2_0531118F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531F1D81_2_0531F1D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531F1C81_2_0531F1C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053100321_2_05310032
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531B8281_2_0531B828
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531B8181_2_0531B818
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531E0781_2_0531E078
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531E0681_2_0531E068
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053100401_2_05310040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053140A81_2_053140A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053140981_2_05314098
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053108F01_2_053108F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531C0D81_2_0531C0D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053108DF1_2_053108DF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531C0CA1_2_0531C0CA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531AB201_2_0531AB20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531AB101_2_0531AB10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053133A01_2_053133A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_053133921_2_05313392
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531B3D01_2_0531B3D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531B3C11_2_0531B3C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531D2381_2_0531D238
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531D22A1_2_0531D22A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531A2701_2_0531A270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531FA781_2_0531FA78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531A2611_2_0531A261
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0531FA881_2_0531FA88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05312AF01_2_05312AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_05312AE01_2_05312AE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E048A1_2_058E048A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E04981_2_058E0498
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E26871_2_058E2687
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E26981_2_058E2698
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E00061_2_058E0006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E40001_2_058E4000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E00401_2_058E0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E2CD01_2_058E2CD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E2CE01_2_058E2CE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E0B201_2_058E0B20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E4AE01_2_058E4AE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E16101_2_058E1610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E16201_2_058E1620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E33201_2_058E3320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E33301_2_058E3330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E3FEF1_2_058E3FEF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E39801_2_058E3980
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_058E39741_2_058E3974
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 00280AE3 appears 70 times
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 00267DE1 appears 35 times
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 00288900 appears 42 times
                  Source: file.exe, 00000000.00000003.1453292287.00000000040DD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs file.exe
                  Source: file.exe, 00000000.00000003.1452757493.0000000003F33000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs file.exe
                  Source: file.exe, 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs file.exe
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 0.2.file.exe.1560000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.file.exe.1560000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.file.exe.1560000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.file.exe.1560000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: file.exe PID: 8032, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.file.exe.1560000.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.file.exe.1560000.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/2
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CA06A GetLastError,FormatMessageW,0_2_002CA06A
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B81CB AdjustTokenPrivileges,CloseHandle,0_2_002B81CB
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_002B87E1
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_002CB333
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002DEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_002DEE0D
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_002D83BB
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00264E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00264E89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\autB38D.tmpJump to behavior
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000001.00000002.2694268635.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2694268635.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2694268635.0000000002DFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: file.exeVirustotal: Detection: 42%
                  Source: file.exeReversingLabs: Detection: 63%
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: file.exe, 00000000.00000003.1453292287.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1454287998.0000000003E10000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: file.exe, 00000000.00000003.1453292287.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1454287998.0000000003E10000.00000004.00001000.00020000.00000000.sdmp
                  Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00264B37 LoadLibraryA,GetProcAddress,0_2_00264B37
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00288945 push ecx; ret 0_2_00288958
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002648D7
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002E5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_002E5376
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00283187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00283187
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 15F28AC
                  Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102343
                  Source: C:\Users\user\Desktop\file.exeAPI coverage: 4.4 %
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_002C445A
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CC6D1 FindFirstFileW,FindClose,0_2_002CC6D1
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002CC75C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002CEF95
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002CF0F2
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002CF3F3
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002C37EF
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002C3B12
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002CBCBC
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002649A0
                  Source: RegSvcs.exe, 00000001.00000002.2693580086.0000000000E27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_011DC168 LdrInitializeThunk,LdrInitializeThunk,1_2_011DC168
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D3F09 BlockInput,0_2_002D3F09
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00263B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00263B3A
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00295A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00295A7C
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00264B37 LoadLibraryA,GetProcAddress,0_2_00264B37
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_015F14C8 mov eax, dword ptr fs:[00000030h]0_2_015F14C8
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_015F2B78 mov eax, dword ptr fs:[00000030h]0_2_015F2B78
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_015F2B18 mov eax, dword ptr fs:[00000030h]0_2_015F2B18
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_002B80A9
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0028A124 SetUnhandledExceptionFilter,0_2_0028A124
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0028A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0028A155
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.file.exe.1560000.1.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.file.exe.1560000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.file.exe.1560000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AFD008Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B87B1 LogonUserW,0_2_002B87B1
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00263B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00263B3A
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002648D7
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002C4C27 mouse_event,0_2_002C4C27
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_002B7CAF
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_002B874B
                  Source: file.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: file.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0028862B cpuid 0_2_0028862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00294E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00294E87
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002A1E06 GetUserNameW,0_2_002A1E06
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00293F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00293F3A
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002649A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 8032, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 8032, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 8032, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: file.exeBinary or memory string: WIN_81
                  Source: file.exeBinary or memory string: WIN_XP
                  Source: file.exeBinary or memory string: WIN_XPe
                  Source: file.exeBinary or memory string: WIN_VISTA
                  Source: file.exeBinary or memory string: WIN_7
                  Source: file.exeBinary or memory string: WIN_8
                  Source: file.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2694268635.0000000002E25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 8032, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 8032, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 8032, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.1560000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 8032, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8052, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_002D6283
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002D6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_002D6747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		12
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS127
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		2
                  Valid Accounts                  		LSA Secrets131
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                  Access Token Manipulation                  		Cached Domain Credentials2
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items212
                  Process Injection                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                  System Owner/User Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Network Configuration Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe42%VirustotalBrowse
                  file.exe63%ReversingLabsWin32.Trojan.AutoitInject
                  file.exe100%AviraTR/AD.SnakeStealer.vezhd

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.96.1
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		193.122.130.0
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189lRegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://checkip.dyndns.comdRegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.org/qfile.exe, 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                  		high
                                  http://reallyfreegeoip.orgdRegSvcs.exe, 00000001.00000002.2694268635.0000000002D9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://reallyfreegeoip.org/xml/8.46.123.189dRegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://reallyfreegeoip.orgRegSvcs.exe, 00000001.00000002.2694268635.0000000002D9D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.orgdRegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://reallyfreegeoip.orgRegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.orgRegSvcs.exe, 00000001.00000002.2694268635.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.comRegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.org/dRegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000001.00000002.2694268635.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org/bot-/sendDocument?chat_id=file.exe, 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://reallyfreegeoip.org/xml/file.exe, 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2694268635.0000000002D80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        104.21.96.1
                                                        		reallyfreegeoip.orgUnited States
                                                        		13335CLOUDFLARENETUSfalse
                                                        193.122.130.0
                                                        		checkip.dyndns.comUnited States
                                                        		31898ORACLE-BMC-31898USfalse

                                                        General Information

                                                        Joe Sandbox version:42.0.0 Malachite
                                                        Analysis ID:1637452
                                                        Start date and time:2025-03-13 16:38:12 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 6m 18s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:6
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:file.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@3/2@2/2
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 49
                                                        • Number of non-executed functions: 287
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                        • Excluded IPs from analysis (whitelisted): 20.109.210.53
                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        No simulations

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        104.21.96.1Transferencia 6997900002017937.exeGet hashmaliciousFormBookBrowse
                                                        • www.askvtwv8.top/uztg/
                                                        hh01FRs81x.exeGet hashmaliciousFormBookBrowse
                                                        • www.newanthoperso.shop/3nis/?LL=4FHLH&R4lxS2-P=7Jez/f8BRsPhvFRcTYEfxOkzfWBvvrnmo+4qP8uldvbHjjygNPFvdo5E4tKnf+Ij1qWwstrtA/xMUYgdGo9Dw7YPXWw4NGSG4oy32mHU2IUoylmJFg==
                                                        yloe82Jp1k.exeGet hashmaliciousFormBookBrowse
                                                        • www.sigaque.today/n61y/
                                                        A2h6QhZIKx.exeGet hashmaliciousAzorultBrowse
                                                        • k1d5.icu/TP341/index.php
                                                        DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                        • www.rbopisalive.cyou/2dxw/
                                                        r_BBVA_MensajeSWIFT04-03-2025-PDF.exeGet hashmaliciousFormBookBrowse
                                                        • www.kdrqcyusevx.info/k7wl/
                                                        MUH030425.exeGet hashmaliciousAzorultBrowse
                                                        • k1d5.icu/TP341/index.php
                                                        Invoice Remittance ref20250226.exeGet hashmaliciousFormBookBrowse
                                                        • www.rbopisalive.cyou/a669/
                                                        368c6e62-b031-5b65-fd43-e7a610184138.emlGet hashmaliciousHTMLPhisherBrowse
                                                        • ce60771026585.oakdiiocese.org/r/74?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
                                                        PO.exeGet hashmaliciousLokibotBrowse
                                                        • touxzw.ir/sccc/five/fre.php
                                                        193.122.130.0Bank Swift Payment.bat.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        NDQ211216GM08.exe.bin.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        QUOTATION_MARQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                        • checkip.dyndns.org/
                                                        efs.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        SC110-11#U3000Order_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        y79a2l1FY5.exeGet hashmaliciousDBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                        • checkip.dyndns.org/
                                                        mybestgirlfriendwalkingaroundtheworld.htaGet hashmaliciousCobalt Strike, DBatLoader, MSIL Logger, MassLogger RAT, PureLog StealerBrowse
                                                        • checkip.dyndns.org/
                                                        Payment_Advise.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        Yeni Sat#U0131nalma Sipari#U015fi.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • checkip.dyndns.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        reallyfreegeoip.orgfile.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.112.1
                                                        file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.32.1
                                                        Notice Letter 2025 03 12 02930920.docs.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.16.1
                                                        Bank Swift Payment.bat.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.48.1
                                                        NDQ211216GM08.exe.bin.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.80.1
                                                        2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.96.1
                                                        QUOTATION_MARQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                        • 104.21.32.1
                                                        SOA Since OCT DEC 241738316681530012900.batGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.32.1
                                                        SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.112.1
                                                        PO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.112.1
                                                        checkip.dyndns.comfile.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 132.226.247.73
                                                        file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 158.101.44.242
                                                        Notice Letter 2025 03 12 02930920.docs.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 193.122.6.168
                                                        Bank Swift Payment.bat.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 193.122.130.0
                                                        NDQ211216GM08.exe.bin.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 193.122.130.0
                                                        2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 193.122.130.0
                                                        QUOTATION_MARQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                        • 193.122.130.0
                                                        SOA Since OCT DEC 241738316681530012900.batGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.8.169
                                                        SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.247.73
                                                        PO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 132.226.247.73

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        CLOUDFLARENETUSfile.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.112.1
                                                        https://ctrk.klclick3.com/l/01JP5VPSP6JS7E5VAEC1KGWEB7_2Get hashmaliciousUnknownBrowse
                                                        • 104.17.93.1
                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 104.21.96.1
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • 104.21.64.1
                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                        • 188.114.96.3
                                                        file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.32.1
                                                        https://65.255.55.140:10443/Get hashmaliciousUnknownBrowse
                                                        • 1.1.1.1
                                                        https://sites.google.com/view/sysgfdgsfghgfdvvbffdv-hgfdcfb/homeGet hashmaliciousUnknownBrowse
                                                        • 1.1.1.1
                                                        https://tedmino.shop:443/Nordonee_-_Karma.mp3Get hashmaliciousUnknownBrowse
                                                        • 172.67.167.231
                                                        ORACLE-BMC-31898USfile.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 158.101.44.242
                                                        Notice Letter 2025 03 12 02930920.docs.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 193.122.6.168
                                                        Bank Swift Payment.bat.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 193.122.130.0
                                                        NDQ211216GM08.exe.bin.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 193.122.130.0
                                                        2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 193.122.130.0
                                                        QUOTATION_MARQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                        • 193.122.130.0
                                                        justificante de transferencia09454545.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 158.101.44.242
                                                        QUOTATION_FEBQUOTE312025#U00faPDF.scrGet hashmaliciousMSIL LoggerBrowse
                                                        • 158.101.44.242
                                                        efs.htaGet hashmaliciousCobalt Strike, MSIL Logger, MassLogger RATBrowse
                                                        • 193.122.130.0
                                                        category05 sc110-11#U3000_Z01G-00008D Siparis PO15804-25 - H64PO1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 158.101.44.242

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        54328bd36c14bd82ddaa0c04b25ed9adfile.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.96.1
                                                        file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.96.1
                                                        Notice Letter 2025 03 12 02930920.docs.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.96.1
                                                        Bank Swift Payment.bat.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                        • 104.21.96.1
                                                        NDQ211216GM08.exe.bin.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.21.96.1
                                                        2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.96.1
                                                        Order 20201103.exeGet hashmaliciousRedLineBrowse
                                                        • 104.21.96.1
                                                        SOA Since OCT DEC 241738316681530012900.batGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.96.1
                                                        SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.96.1
                                                        PO-2513203-PDF.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.96.1

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\autB38D.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\file.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):63852
                                                        Entropy (8bit):7.896577847742881
                                                        Encrypted:false
                                                        SSDEEP:768:+3K7+jQuG81I/H1EMKR9EwwLBeImlNwjAYfANiFrDFajtKgM/FkE58/L0tzajJuu:KUuPIkBPw3AmDFIURAwtzalmIMF0
                                                        MD5:69AF0DF880B33CDDD5E7079B8C055F56
                                                        SHA1:430AC03C92214CCD9380A3F74A19CCF7DABF2352
                                                        SHA-256:C0D2B8BADE100AD9C45D63E7D24CDA66F43E2ACAAC04292ECEAC6473CCB8E6BF
                                                        SHA-512:CF6B149F9CDBFF9DC185D88255A2F4C6177867C315D682BBCD47146B2A5B3B32F7D66E823BCD24E67634D342AD3B47A769474D85B6888C993F4F64782A18DB19
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:EA06..n..Ftt....3.Q.N.eZ.V)....qH....y..gL.......mR.V.......g..8P+.....;..|..R3l.I'....YT.Ne....S[..U..BU8.^j5kD&.....yM.G...3`..k.Y....>....Q....N.Z.O)..........X..F.y...r.L/....qH..Ff..Q...0..Tb.K.p.t9.2.Q..d.........N.8t......L._j......a......1...Vy.b|.9.-..G...v1&.......9.S@........*|7...Qc......=D...P.p.S..>....s.Mj.J..eZ..8?..B..8K.@....M..T||.(..2.^.....{H..j..?.f.)E(.Z..>.)....<.O8.N.....bs:..i..x.......3..p..h.8+.....s4....8J...`..t..&.....s2...Y.L.V.]J......^..o..j[j..4.......M..&....B..&......L+..].q8.si..<..i.V...:....S*...........P...S:eJ.`....l.2..T..fb..X`.Iu.gJ.@.S:$.yX.T6U..B.G.D!t.]j....)..-.gd...j...0.[.....f.....\.R.6...6.FkQ...uY.l(...NQR.T|........!U..Z.8.R.^:..se......A..,.).rar..$....W..(s:E.4.S...4.U2.M.~ ..;.R..8.........F.|.Sk...M..-.....i..*V..F...Vg...P...6.ej.....Z.._..L+...$..Q.3....b...;.....L*T.......f.jeb....nV...I%..&.......Lh..}b.N..(.}4..2.L.T.,4.`..`ty.&....&5...`.e%.>...8..s...B..V)|. ..B...U..

                                                        C:\Users\user\AppData\Local\Temp\oxmanship

                                                        Download File
                                                        Process:C:\Users\user\Desktop\file.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):93696
                                                        Entropy (8bit):6.880314116273178
                                                        Encrypted:false
                                                        SSDEEP:1536:jxL81ix0WkK8EzBTFSd181ZSwTjlOX3rZlqR1c1eOD/zwvTn/Ne5s+jm0U+BrHJw:+iG5181ZSwTjlOX3rZlqR1c1eOD/zwvr
                                                        MD5:DD4A218E497F6149314C9A3BC2336971
                                                        SHA1:E2C5444A15BC019CFA25BE147E668B62BE95096D
                                                        SHA-256:D4C9437BE47992DBA1C110FF9F3F05CEAE2EE0455514EE22C8D7540288C0C31C
                                                        SHA-512:55287E7FEE6121E295084AC83DD42685EA13E64ECFD775961A8B8D4C8B975832534DB113963051EA8001D02057161FA77A45E9FB57842CBF4D427B754B14EC24
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:~..L[AJ3JG5X.2Z.XMXY88H.KPG3C3LXAJ3NG5X6R2Z0XMXY88HMKPG3C3L.AJ3@X.V6.;...L...l $8p7A,T>9,jP/)[7BrP?.*86yQVh...g^,W)vLG9jG5X6R2Z`.MX.9;H.%..3C3LXAJ3.G7Y=SbZ0<LXY08HMKPG..2LXaJ3N.4X6RrZ0xMXY:8HIKPG3C3L^AJ3NG5X6.3Z0ZMXY88HOK0.3C#LXQJ3NG%X6B2Z0XMXI88HMKPG3C3L..K3.G5X6.3Z.]MXY88HMKPG3C3LXAJ3N.4X:R2Z0XMXY88HMKPG3C3LXAJ3NG5X6R2Z0XMXY88HMKPG3C3LXAJ3Ng5X>R2Z0XMXY88HEkPG{C3LXAJ3NG5X.&W"DXMX.Z9HMkPG3'2LXCJ3NG5X6R2Z0XMXy88(c9#5PC3L.DJ3N.4X6T2Z0>LXY88HMKPG3C3L.AJs`5P4Y12Z<XMXY.9HMIPG3/2LXAJ3NG5X6R2ZpXM.Y88HMKPG3C3LXAJ3..4X6R2ZxXMX[8=H1.PG..3L[AJ3.G5^.2Z.XMXY88HMKPG3C3LXAJ3NG5X6R2Z0XMXY88HMKPG3C3L.<.<...1E..Z0XMXY9:KIMXO3C3LXAJ30G5XpR2ZpXMXn88HhKPG^C3L|AJ30G5XHR2ZTXMX+88H,KPGtC3L7AJ3 G5XHR2Z.ZeGY82bkKRo.C3FXk.@oG5R.S2Z4+oXY2.JMKT4.C3F.BJ3J4.X6X.^0XI+|88B.NPG7iiL[.\5NG.7.R2P0[.M_88SgmPE.z3LRA`.ND.M0R2A.zMZ.18HIa.4.C3Jp.J3D3<X6P.P0XIrG:..MKZm.= LXEa3deKL6R6q0ro&L88LfKzeMU3L\jJ.l9"X6V.Z.^g:YJ.DM;S(RC3Jp.J3DouX6T2p.X3VY8<J".PG9e.vXi.3NA5pgR2\0r.X'.8HIgW9.C3HsW4.NG1.0*2Z6+.XY2..~KPC..3LRA`.NolX6T2r|XM^

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):6.844753191231613
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:file.exe
                                                        File size:964'608 bytes
                                                        MD5:855bb87420f8dbe945a1ffa4abbb23f9
                                                        SHA1:8115793b368fc257780e8ae00bc3ad568adfbd60
                                                        SHA256:ada32ec7d1868b4e082ae007138811e58e8b44dc748a847d8e055adf4cae25a9
                                                        SHA512:d447411eb3b4b6f7de1e723d9fb7b7da6859f3f1f53316cc9c5eb714d62764058a3e40688f1fc773636e37e53905093c2f60bb68bd2d0d9f85999116c3b4f24a
                                                        SSDEEP:24576:lu6J33O0c+JY5UZ+XC0kGso6Fa5S4L2BKEPMqWY:nu0c++OCvkGs9Fa5TyBZsY
                                                        TLSH:0C25AD2273DDC360CB669173BF6AB7016EBF3C614630B85B2F980D7DA950162162D7A3
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                        File Icon

                                                        Icon Hash:aaf3e3e3938382a0

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x427dcd
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x67D27881 [Thu Mar 13 06:17:37 2025 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:1
                                                        File Version Major:5
                                                        File Version Minor:1
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:1
                                                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                        Entrypoint Preview

                                                        Instruction
                                                        call 00007FB27CD5C77Ah
                                                        jmp 00007FB27CD4F544h
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        int3
                                                        push edi
                                                        push esi
                                                        mov esi, dword ptr [esp+10h]
                                                        mov ecx, dword ptr [esp+14h]
                                                        mov edi, dword ptr [esp+0Ch]
                                                        mov eax, ecx
                                                        mov edx, ecx
                                                        add eax, esi
                                                        cmp edi, esi
                                                        jbe 00007FB27CD4F6CAh
                                                        cmp edi, eax
                                                        jc 00007FB27CD4FA2Eh
                                                        bt dword ptr [004C31FCh], 01h
                                                        jnc 00007FB27CD4F6C9h
                                                        rep movsb
                                                        jmp 00007FB27CD4F9DCh
                                                        cmp ecx, 00000080h
                                                        jc 00007FB27CD4F894h
                                                        mov eax, edi
                                                        xor eax, esi
                                                        test eax, 0000000Fh
                                                        jne 00007FB27CD4F6D0h
                                                        bt dword ptr [004BE324h], 01h
                                                        jc 00007FB27CD4FBA0h
                                                        bt dword ptr [004C31FCh], 00000000h
                                                        jnc 00007FB27CD4F86Dh
                                                        test edi, 00000003h
                                                        jne 00007FB27CD4F87Eh
                                                        test esi, 00000003h
                                                        jne 00007FB27CD4F85Dh
                                                        bt edi, 02h
                                                        jnc 00007FB27CD4F6CFh
                                                        mov eax, dword ptr [esi]
                                                        sub ecx, 04h
                                                        lea esi, dword ptr [esi+04h]
                                                        mov dword ptr [edi], eax
                                                        lea edi, dword ptr [edi+04h]
                                                        bt edi, 03h
                                                        jnc 00007FB27CD4F6D3h
                                                        movq xmm1, qword ptr [esi]
                                                        sub ecx, 08h
                                                        lea esi, dword ptr [esi+08h]
                                                        movq qword ptr [edi], xmm1
                                                        lea edi, dword ptr [edi+08h]
                                                        test esi, 00000007h
                                                        je 00007FB27CD4F725h
                                                        bt esi, 03h
                                                        jnc 00007FB27CD4F778h

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ASM] VS2013 build 21005
                                                        • [ C ] VS2013 build 21005
                                                        • [C++] VS2013 build 21005
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729
                                                        • [ASM] VS2013 UPD4 build 31101
                                                        • [RES] VS2013 build 21005
                                                        • [LNK] VS2013 UPD4 build 31101

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x22fe8.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000x711c.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0xc70000x22fe80x2300066103caab5b69f5f2edbd228cf97ece2False0.8133161272321429data7.57351484601897IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xea0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                        RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                        RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                        RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                        RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                        RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                        RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                        RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                        RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                        RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                        RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                        RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                        RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                        RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                        RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                        RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                        RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                        RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                        RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                        RT_RCDATA0xcf7b80x1a2addata1.0003825304858138
                                                        RT_GROUP_ICON0xe9a680x76dataEnglishGreat Britain0.6610169491525424
                                                        RT_GROUP_ICON0xe9ae00x14dataEnglishGreat Britain1.25
                                                        RT_GROUP_ICON0xe9af40x14dataEnglishGreat Britain1.15
                                                        RT_GROUP_ICON0xe9b080x14dataEnglishGreat Britain1.25
                                                        RT_VERSION0xe9b1c0xdcdataEnglishGreat Britain0.6181818181818182
                                                        RT_MANIFEST0xe9bf80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                        Imports

                                                        DLLImport
                                                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                        PSAPI.DLLGetProcessMemoryInfo
                                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                        UxTheme.dllIsThemeActive
                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                        Version Infos

                                                        DescriptionData
                                                        Translation0x0809 0x04b0

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishGreat Britain

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2025-03-13T16:39:39.340735+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449714193.122.130.080TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 13, 2025 16:39:38.636131048 CET4971480192.168.2.4193.122.130.0
                                                        Mar 13, 2025 16:39:38.640876055 CET8049714193.122.130.0192.168.2.4
                                                        Mar 13, 2025 16:39:38.657628059 CET4971480192.168.2.4193.122.130.0
                                                        Mar 13, 2025 16:39:38.660418987 CET4971480192.168.2.4193.122.130.0
                                                        Mar 13, 2025 16:39:38.665136099 CET8049714193.122.130.0192.168.2.4
                                                        Mar 13, 2025 16:39:39.134197950 CET8049714193.122.130.0192.168.2.4
                                                        Mar 13, 2025 16:39:39.179578066 CET4971480192.168.2.4193.122.130.0
                                                        Mar 13, 2025 16:39:39.184401989 CET8049714193.122.130.0192.168.2.4
                                                        Mar 13, 2025 16:39:39.285459995 CET8049714193.122.130.0192.168.2.4
                                                        Mar 13, 2025 16:39:39.340734959 CET4971480192.168.2.4193.122.130.0
                                                        Mar 13, 2025 16:39:39.350466013 CET49715443192.168.2.4104.21.96.1
                                                        Mar 13, 2025 16:39:39.350513935 CET44349715104.21.96.1192.168.2.4
                                                        Mar 13, 2025 16:39:39.360536098 CET49715443192.168.2.4104.21.96.1
                                                        Mar 13, 2025 16:39:39.411900043 CET49715443192.168.2.4104.21.96.1
                                                        Mar 13, 2025 16:39:39.411919117 CET44349715104.21.96.1192.168.2.4
                                                        Mar 13, 2025 16:39:40.846040964 CET44349715104.21.96.1192.168.2.4
                                                        Mar 13, 2025 16:39:40.846061945 CET44349715104.21.96.1192.168.2.4
                                                        Mar 13, 2025 16:39:40.846173048 CET49715443192.168.2.4104.21.96.1
                                                        Mar 13, 2025 16:39:40.852041960 CET49715443192.168.2.4104.21.96.1
                                                        Mar 13, 2025 16:39:40.852056980 CET44349715104.21.96.1192.168.2.4
                                                        Mar 13, 2025 16:39:40.852406979 CET44349715104.21.96.1192.168.2.4
                                                        Mar 13, 2025 16:39:40.894404888 CET49715443192.168.2.4104.21.96.1
                                                        Mar 13, 2025 16:39:40.905543089 CET49715443192.168.2.4104.21.96.1
                                                        Mar 13, 2025 16:39:40.952325106 CET44349715104.21.96.1192.168.2.4
                                                        Mar 13, 2025 16:39:41.431436062 CET44349715104.21.96.1192.168.2.4
                                                        Mar 13, 2025 16:39:41.431524992 CET44349715104.21.96.1192.168.2.4
                                                        Mar 13, 2025 16:39:41.431632996 CET49715443192.168.2.4104.21.96.1
                                                        Mar 13, 2025 16:39:41.438941956 CET49715443192.168.2.4104.21.96.1
                                                        Mar 13, 2025 16:40:44.283814907 CET8049714193.122.130.0192.168.2.4
                                                        Mar 13, 2025 16:40:44.283900023 CET4971480192.168.2.4193.122.130.0
                                                        Mar 13, 2025 16:41:19.317235947 CET4971480192.168.2.4193.122.130.0
                                                        Mar 13, 2025 16:41:19.322016954 CET8049714193.122.130.0192.168.2.4

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Mar 13, 2025 16:39:38.573652983 CET6473353192.168.2.41.1.1.1
                                                        Mar 13, 2025 16:39:38.584487915 CET53647331.1.1.1192.168.2.4
                                                        Mar 13, 2025 16:39:39.329586029 CET5170453192.168.2.41.1.1.1
                                                        Mar 13, 2025 16:39:39.336846113 CET53517041.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Mar 13, 2025 16:39:38.573652983 CET192.168.2.41.1.1.10xae39Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:39.329586029 CET192.168.2.41.1.1.10x8b7aStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Mar 13, 2025 16:39:38.584487915 CET1.1.1.1192.168.2.40xae39No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                        Mar 13, 2025 16:39:38.584487915 CET1.1.1.1192.168.2.40xae39No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:38.584487915 CET1.1.1.1192.168.2.40xae39No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:38.584487915 CET1.1.1.1192.168.2.40xae39No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:38.584487915 CET1.1.1.1192.168.2.40xae39No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:38.584487915 CET1.1.1.1192.168.2.40xae39No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:39.336846113 CET1.1.1.1192.168.2.40x8b7aNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:39.336846113 CET1.1.1.1192.168.2.40x8b7aNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:39.336846113 CET1.1.1.1192.168.2.40x8b7aNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:39.336846113 CET1.1.1.1192.168.2.40x8b7aNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:39.336846113 CET1.1.1.1192.168.2.40x8b7aNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:39.336846113 CET1.1.1.1192.168.2.40x8b7aNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                        Mar 13, 2025 16:39:39.336846113 CET1.1.1.1192.168.2.40x8b7aNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • reallyfreegeoip.org
                                                        • checkip.dyndns.org

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449714193.122.130.0808052C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        TimestampBytes transferredDirectionData
                                                        Mar 13, 2025 16:39:38.660418987 CET151OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Connection: Keep-Alive
                                                        Mar 13, 2025 16:39:39.134197950 CET321INHTTP/1.1 200 OK
                                                        Date: Thu, 13 Mar 2025 15:39:39 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 104
                                                        Connection: keep-alive
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        X-Request-ID: ac94af2512d60f8fd909e597cb757484
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                        Mar 13, 2025 16:39:39.179578066 CET127OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                        Host: checkip.dyndns.org
                                                        Mar 13, 2025 16:39:39.285459995 CET321INHTTP/1.1 200 OK
                                                        Date: Thu, 13 Mar 2025 15:39:39 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 104
                                                        Connection: keep-alive
                                                        Cache-Control: no-cache
                                                        Pragma: no-cache
                                                        X-Request-ID: bb367a6c539099cd8cdd9b180119190a
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449715104.21.96.14438052C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-03-13 15:39:40 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                        Host: reallyfreegeoip.org
                                                        Connection: Keep-Alive
                                                        2025-03-13 15:39:41 UTC864INHTTP/1.1 200 OK
                                                        Date: Thu, 13 Mar 2025 15:39:41 GMT
                                                        Content-Type: text/xml
                                                        Content-Length: 362
                                                        Connection: close
                                                        Age: 24456
                                                        Cache-Control: max-age=31536000
                                                        cf-cache-status: HIT
                                                        last-modified: Thu, 13 Mar 2025 08:52:04 GMT
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T8Jma%2FLQVwlCk15LjWXzXBojMjYZNoPMSq9lsVL6XdLrer2STR5zTr%2F8WtX0omdoZJN%2F3jq0lX1zGLrHs58%2BiqXJ%2BjASHR8dTv5EDvBdbQu%2FVT1m58hSZGsy%2FUpFDGbLA5g%2B80mu"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 91fca01e48b566fb-DFW
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=42590&min_rtt=37965&rtt_var=14628&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=75173&cwnd=57&unsent_bytes=0&cid=8fc56ce1c949638f&ts=682&x=0"
                                                        2025-03-13 15:39:41 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:11:39:35
                                                        Start date:13/03/2025
                                                        Path:C:\Users\user\Desktop\file.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                                        Imagebase:0x260000
                                                        File size:964'608 bytes
                                                        MD5 hash:855BB87420F8DBE945A1FFA4ABBB23F9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1459871701.0000000001560000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:11:39:36
                                                        Start date:13/03/2025
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                                        Imagebase:0x940000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2693282784.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2694268635.0000000002E25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >