Edit tour

Windows Analysis Report
smss (2).exe

Overview

General Information

Sample name:	smss (2).exe
Analysis ID:	1664057
MD5:	a9a05d451c24858918183c1e7271a306
SHA1:	e9ea72f8b86886be421da90c131659d6ebb9483f
SHA256:	d878f6aa5cc41db62f6b2c3466cbec5d792eaf8f77b2ea1e779e7925f267be52
Tags:	104-168-7-18exesalsita-linkuser-JAMESWT_WT
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

smss (2).exe (PID: 8184 cmdline: "C:\Users\user\Desktop\smss (2).exe" MD5: A9A05D451C24858918183C1E7271A306)

RegSvcs.exe (PID: 7392 cmdline: "C:\Users\user\Desktop\smss (2).exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefdf:$a1: get_encryptedPassword 0xf307:$a2: get_encryptedUsername 0xed7a:$a3: get_timePasswordChanged 0xee9b:$a4: get_passwordField 0xeff5:$a5: set_encryptedPassword 0x10951:$a7: get_logins 0x10602:$a8: GetOutlookPasswords 0x103f4:$a9: StartKeylogger 0x108a1:$a10: KeyLoggerEventArgs 0x10451:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.2569009214.0000000003186000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: smss (2).exe PID: 8184	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: smss (2).exe PID: 8184	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: smss (2).exe PID: 8184	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: smss (2).exe PID: 8184	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: smss (2).exe PID: 8184	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1e0b9d:$a1: get_encryptedPassword 0x1e0eb6:$a2: get_encryptedUsername 0x1e094c:$a3: get_timePasswordChanged 0x1e0a6d:$a4: get_passwordField 0x1e0bb3:$a5: set_encryptedPassword 0x1e24b6:$a7: get_logins 0x1e2167:$a8: GetOutlookPasswords 0x1e1f59:$a9: StartKeylogger 0x1e2406:$a10: KeyLoggerEventArgs 0x1e1fb6:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7392	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7392	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegSvcs.exe PID: 7392	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7392	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x521aa:$a1: get_encryptedPassword 0x524c3:$a2: get_encryptedUsername 0x51f59:$a3: get_timePasswordChanged 0x5207a:$a4: get_passwordField 0x521c0:$a5: set_encryptedPassword 0x53ac3:$a7: get_logins 0x53774:$a8: GetOutlookPasswords 0x53566:$a9: StartKeylogger 0x53a13:$a10: KeyLoggerEventArgs 0x535c3:$a11: KeyLoggerEventArgsEventHandler
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.smss (2).exe.3f10000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.smss (2).exe.3f10000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.smss (2).exe.3f10000.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.smss (2).exe.3f10000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.smss (2).exe.3f10000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3df:$a1: get_encryptedPassword 0xd707:$a2: get_encryptedUsername 0xd17a:$a3: get_timePasswordChanged 0xd29b:$a4: get_passwordField 0xd3f5:$a5: set_encryptedPassword 0xed51:$a7: get_logins 0xea02:$a8: GetOutlookPasswords 0xe7f4:$a9: StartKeylogger 0xeca1:$a10: KeyLoggerEventArgs 0xe851:$a11: KeyLoggerEventArgsEventHandler
0.2.smss (2).exe.3f10000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b97:$a4: \Orbitum\User Data\Default\Login Data 0x1298f:$a5: \Kometa\User Data\Default\Login Data
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
1.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
0.2.smss (2).exe.3f10000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.smss (2).exe.3f10000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.smss (2).exe.3f10000.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.smss (2).exe.3f10000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.smss (2).exe.3f10000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1df:$a1: get_encryptedPassword 0xf507:$a2: get_encryptedUsername 0xef7a:$a3: get_timePasswordChanged 0xf09b:$a4: get_passwordField 0xf1f5:$a5: set_encryptedPassword 0x10b51:$a7: get_logins 0x10802:$a8: GetOutlookPasswords 0x105f4:$a9: StartKeylogger 0x10aa1:$a10: KeyLoggerEventArgs 0x10651:$a11: KeyLoggerEventArgsEventHandler
0.2.smss (2).exe.3f10000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data 0x13997:$a4: \Orbitum\User Data\Default\Login Data 0x1478f:$a5: \Kometa\User Data\Default\Login Data
Click to see the 13 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-13T10:58:29.242684+0200	2803274	2	Potentially Bad Traffic	192.168.2.5	49692	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.2569009214.0000000003031000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7598843355:AAHehybWWiULdkPS1RLFstdr4_yw-SdkoII", "Telegram Chatid": "7668947425"}

Multi AV Scanner detection for submitted file

Source: smss (2).exe	Virustotal: Detection: 64%			Perma Link
Source: smss (2).exe	ReversingLabs: Detection: 63%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 97.5%

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: smss (2).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49693 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: smss (2).exe, 00000000.00000003.1327321038.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, smss (2).exe, 00000000.00000003.1327159958.0000000003F30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: smss (2).exe, 00000000.00000003.1327321038.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, smss (2).exe, 00000000.00000003.1327159958.0000000003F30000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0019445A
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019C6D1 FindFirstFileW,FindClose,	0_2_0019C6D1
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0019C75C
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019EF95
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019F0F2
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019F3F3
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001937EF
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00193B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00193B12
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 013B9731h	1_2_013B9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 013B9E5Ah	1_2_013B9A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 013B9E5Ah	1_2_013B9A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 013B9E5Ah	1_2_013B9D87

Source: global traffic

HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49692 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49693 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001A22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_001A22EE

Source: global traffic	HTTP traffic detected: GET /xml/89.187.171.161 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2569009214.000000000309E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000001.00000002.2569009214.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: smss (2).exe, 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000001.00000002.2569009214.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000001.00000002.2569009214.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000001.00000002.2569009214.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: smss (2).exe, 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: smss (2).exe, 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.171.161d
Source: RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/89.187.171.161l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.smss (2).exe.3f10000.1.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001A4164

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001A4164

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001A3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001A3F66

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_0019001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0019001C

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001BCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001BCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.smss (2).exe.3f10000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.smss (2).exe.3f10000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.smss (2).exe.3f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.smss (2).exe.3f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: smss (2).exe PID: 8184, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\smss (2).exe	Code function: This is a third-party compiled AutoIt script.	0_2_00133B3A
Source: smss (2).exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: smss (2).exe, 00000000.00000000.1312707495.00000000001E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2c5a4984-a
Source: smss (2).exe, 00000000.00000000.1312707495.00000000001E4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_c0a18c71-9
Source: smss (2).exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_082210b7-2
Source: smss (2).exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b6372469-5

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_0019A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0019A1EF

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00188310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00188310

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001951BD

Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0013E6A0	0_2_0013E6A0
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0015D975	0_2_0015D975
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001521C5	0_2_001521C5
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001662D2	0_2_001662D2
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001B03DA	0_2_001B03DA
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0016242E	0_2_0016242E
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001525FA	0_2_001525FA
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0018E616	0_2_0018E616
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001466E1	0_2_001466E1
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0016878F	0_2_0016878F
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00148808	0_2_00148808
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001B0857	0_2_001B0857
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00166844	0_2_00166844
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00198889	0_2_00198889
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0015CB21	0_2_0015CB21
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00166DB6	0_2_00166DB6
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00146F9E	0_2_00146F9E
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00143030	0_2_00143030
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00153187	0_2_00153187
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0015F1D9	0_2_0015F1D9
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00131287	0_2_00131287
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00151484	0_2_00151484
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00145520	0_2_00145520
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00157696	0_2_00157696
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00145760	0_2_00145760
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00151978	0_2_00151978
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00169AB5	0_2_00169AB5
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0013FCE0	0_2_0013FCE0
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00151D90	0_2_00151D90
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0015BDA6	0_2_0015BDA6
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001B7DDB	0_2_001B7DDB
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0013DF00	0_2_0013DF00
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00143FE0	0_2_00143FE0
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_01858288	0_2_01858288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_013BC530	1_2_013BC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_013B27B9	1_2_013B27B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_013B9480	1_2_013B9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_013BC521	1_2_013BC521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_013B2DD1	1_2_013B2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_013B946F	1_2_013B946F

Source: C:\Users\user\Desktop\smss (2).exe	Code function: String function: 00150AE3 appears 70 times
Source: C:\Users\user\Desktop\smss (2).exe	Code function: String function: 00137DE1 appears 35 times
Source: C:\Users\user\Desktop\smss (2).exe	Code function: String function: 00158900 appears 42 times

Source: smss (2).exe, 00000000.00000003.1328022782.0000000004053000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs smss (2).exe
Source: smss (2).exe, 00000000.00000003.1329288356.000000000421D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs smss (2).exe
Source: smss (2).exe, 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs smss (2).exe

Source: smss (2).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.smss (2).exe.3f10000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.smss (2).exe.3f10000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.smss (2).exe.3f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.smss (2).exe.3f10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: smss (2).exe PID: 8184, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.smss (2).exe.3f10000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.smss (2).exe.3f10000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/2

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_0019A06A GetLastError,FormatMessageW,

0_2_0019A06A

Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001881CB AdjustTokenPrivileges,CloseHandle,		0_2_001881CB
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001887E1

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_0019B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0019B333

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001AEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001AEE0D

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_0019C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0019C397

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00134E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00134E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\smss (2).exe

File created: C:\Users\user\AppData\Local\Temp\aut33A.tmp

Jump to behavior

Source: smss (2).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\smss (2).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.2569009214.0000000003150000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2569009214.0000000003143000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2569009214.000000000312F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2569394913.000000000405D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2569009214.0000000003111000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2569009214.0000000003120000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: smss (2).exe	Virustotal: Detection: 64%
Source: smss (2).exe	ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\smss (2).exe "C:\Users\user\Desktop\smss (2).exe"
Source: C:\Users\user\Desktop\smss (2).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\smss (2).exe"
Source: C:\Users\user\Desktop\smss (2).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\smss (2).exe"	Jump to behavior

Source: C:\Users\user\Desktop\smss (2).exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\smss (2).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\smss (2).exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\smss (2).exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\smss (2).exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\smss (2).exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\smss (2).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\smss (2).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\smss (2).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\smss (2).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\smss (2).exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: smss (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: smss (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: smss (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: smss (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: smss (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: smss (2).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: smss (2).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: smss (2).exe, 00000000.00000003.1327321038.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, smss (2).exe, 00000000.00000003.1327159958.0000000003F30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: smss (2).exe, 00000000.00000003.1327321038.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, smss (2).exe, 00000000.00000003.1327159958.0000000003F30000.00000004.00001000.00020000.00000000.sdmp

Source: smss (2).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: smss (2).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: smss (2).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: smss (2).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: smss (2).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00134B37 LoadLibraryA,GetProcAddress,

0_2_00134B37

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00158945 push ecx; ret

0_2_00158958

Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_001348D7
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001B5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001B5376

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00153187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00153187

Source: C:\Users\user\Desktop\smss (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\smss (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\smss (2).exe

API/Special instruction interceptor: Address: 1857EAC

Source: C:\Users\user\Desktop\smss (2).exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102521

Source: C:\Users\user\Desktop\smss (2).exe

API coverage: 5.1 %

Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0019445A
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019C6D1 FindFirstFileW,FindClose,	0_2_0019C6D1
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0019C75C
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019EF95
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0019F0F2
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019F3F3
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001937EF
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_00193B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00193B12
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0019BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0019BCBC

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001349A0

Source: RegSvcs.exe, 00000001.00000002.2568526699.0000000001176000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly

Source: C:\Users\user\Desktop\smss (2).exe	API call chain: ExitProcess graph end node			graph_0-101309
Source: C:\Users\user\Desktop\smss (2).exe	API call chain: ExitProcess graph end node			graph_0-101536

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001A3F09 BlockInput,

0_2_001A3F09

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00133B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00133B3A

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00165A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00165A7C

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00134B37 LoadLibraryA,GetProcAddress,

0_2_00134B37

Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_01858118 mov eax, dword ptr fs:[00000030h]	0_2_01858118
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_01858178 mov eax, dword ptr fs:[00000030h]	0_2_01858178
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_01856AC8 mov eax, dword ptr fs:[00000030h]	0_2_01856AC8

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_001880A9

Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0015A124 SetUnhandledExceptionFilter,		0_2_0015A124
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_0015A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0015A155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.smss (2).exe.3f10000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.smss (2).exe.3f10000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.smss (2).exe.3f10000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\smss (2).exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\smss (2).exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F0F008

Jump to behavior

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001887B1 LogonUserW,

0_2_001887B1

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00133B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00133B3A

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_001348D7

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00194C27 mouse_event,

0_2_00194C27

Source: C:\Users\user\Desktop\smss (2).exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\smss (2).exe"

Jump to behavior

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00187CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00187CAF

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_0018874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0018874B

Source: smss (2).exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: smss (2).exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_0015862B cpuid

0_2_0015862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00164E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00164E87

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00171E06 GetUserNameW,

0_2_00171E06

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_00163F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00163F3A

Source: C:\Users\user\Desktop\smss (2).exe

Code function: 0_2_001349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001349A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smss (2).exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smss (2).exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smss (2).exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: smss (2).exe	Binary or memory string: WIN_81
Source: smss (2).exe	Binary or memory string: WIN_XP
Source: smss (2).exe	Binary or memory string: WIN_XPe
Source: smss (2).exe	Binary or memory string: WIN_VISTA
Source: smss (2).exe	Binary or memory string: WIN_7
Source: smss (2).exe	Binary or memory string: WIN_8
Source: smss (2).exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2569009214.0000000003186000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smss (2).exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smss (2).exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smss (2).exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.smss (2).exe.3f10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: smss (2).exe PID: 8184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001A6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_001A6283
Source: C:\Users\user\Desktop\smss (2).exe	Code function: 0_2_001A6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001A6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	12 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Access Token Manipulation	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	212 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
smss (2).exe	65%	Virustotal		Browse
smss (2).exe	64%	ReversingLabs	Win32.Trojan.Strab
SAMPLE	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
reallyfreegeoip.org	104.21.96.1	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/89.187.171.161	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://checkip.dyndns.comd	RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	smss (2).exe, 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000001.00000002.2569009214.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000001.00000002.2569009214.00000000030CD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2569009214.000000000309E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/89.187.171.161d	RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000001.00000002.2569009214.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	smss (2).exe, 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/89.187.171.161l	RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	smss (2).exe, 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2569009214.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.96.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1664057
Start date and time:	2025-04-13 10:57:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	smss (2).exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 63 Number of non-executed functions: 279
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.53.13.85, 23.53.13.81, 23.76.34.6, 52.149.20.212, 150.171.27.254
Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, c.pki.goog, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target RegSvcs.exe, PID 7392 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	Samhwa Document #AWB00960667892.pdf.vbs	Get hash	malicious	FormBook, GuLoader	Browse	www.drgnmoney-98.buzz/k21f/
	NEW PO.exe	Get hash	malicious	FormBook	Browse	www.uqcdnvgr.biz/z7hp/
	0123-PAYMENT.exe	Get hash	malicious	FormBook	Browse	www.6644win.mom/hs6j/
	vbnmghjkl.exe	Get hash	malicious	FormBook	Browse	www.uqcdnvgr.biz/veua/
	ZPGRAHNY.msi	Get hash	malicious	Unknown	Browse	sonorous-horizon-cfd.cfd/c
	Purchase_Order_1 x 40ft Container.exe	Get hash	malicious	FormBook	Browse	www.6644win.mom/hs6j/
	SecuriteInfo.com.Win32.DropperX-gen.1559.13899.exe	Get hash	malicious	FormBook	Browse	www.roastroots.lol/hpwy/
	vv161A72Jp.exe	Get hash	malicious	FormBook	Browse	www.auto-total.info/2yh2/
	Rse8nMu1q0.exe	Get hash	malicious	FormBook	Browse	www.ampmplay5000.vip/hig1/?olPP=K5pALbXS91o7HW36wgjsXvdqbEplZlB5gxlRGCNQjV51jLgDXQj1QZDRH4ffdzT66fWBOucL7u/VhDFeaoZteHcjGezDOtaP11BFgcrJxVAtcmQVeg==&3pC=I0RLjRIX
	zVLAGICBDE.exe	Get hash	malicious	FormBook	Browse	www.mulher777.info/7x8q/
193.122.130.0	1b3pICGT3V.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	TpDkwibRvg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Win32.MalwareX-gen.17302.21297.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	Facturas pagadas.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Teklif Talebi Bilgileri.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Teklif Eklidir.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	hesaphareketi-01.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Comunicaci#U00f3n BBVA.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	5f8911mgZd9FLa2.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO# 3989201.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	KUzGUp4xs6.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	Mi5cEY8M3R.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	6pCmlKafCF.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	1b3pICGT3V.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	TpDkwibRvg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	WTGK44DBns.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	New order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	Q202507200854.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.112.1
	SecuriteInfo.com.Win32.MalwareX-gen.17302.21297.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	PROCESO.3.1.305884.20250207.2025020715301400000008.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
checkip.dyndns.com	KUzGUp4xs6.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	Mi5cEY8M3R.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	6pCmlKafCF.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	1b3pICGT3V.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	TpDkwibRvg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	WTGK44DBns.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	New order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	Q202507200854.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	SecuriteInfo.com.Win32.MalwareX-gen.17302.21297.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	PROCESO.3.1.305884.20250207.2025020715301400000008.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
bg.microsoft.map.fastly.net	activate.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.210.172
	Imprimir_Entrada.exe	Get hash	malicious	Quasar, StormKitty	Browse	199.232.210.172
	3pzDxChUaP.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	SecuriteInfo.com.Trojan.MulDrop23.44572.16409.10206.exe	Get hash	malicious	ScreenConnect Tool, XWorm	Browse	199.232.214.172
	Saturn.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	Setupx-64.exe	Get hash	malicious	DCRat	Browse	199.232.214.172
	SecuriteInfo.com.Win64.MalwareX-gen.5298.17806.exe	Get hash	malicious	GhostRat	Browse	199.232.214.172
	SecuriteInfo.com.Trojan.DownLoader48.29860.1293.7282.exe	Get hash	malicious	DcRat	Browse	199.232.210.172
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	KUzGUp4xs6.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	Mi5cEY8M3R.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	6pCmlKafCF.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.48.1
	1b3pICGT3V.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	TpDkwibRvg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	WTGK44DBns.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	activate.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.28.157
	activate.exe	Get hash	malicious	LummaC Stealer	Browse	104.22.68.199
	FGiemTL26H.exe	Get hash	malicious	Unknown	Browse	104.21.3.156
	3pzDxChUaP.exe	Get hash	malicious	Unknown	Browse	172.67.185.246
ORACLE-BMC-31898US	KUzGUp4xs6.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	158.101.44.242
	Mi5cEY8M3R.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	6pCmlKafCF.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	1b3pICGT3V.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	TpDkwibRvg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	mirai.mips.elf	Get hash	malicious	Mirai	Browse	144.25.120.64
	New order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.6.168
	SecuriteInfo.com.Win32.MalwareX-gen.17302.21297.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	193.122.130.0
	Payment Swift-Copy MT103.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	Zam#U00f3wienie 2503447 - 24.04_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	KUzGUp4xs6.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	Mi5cEY8M3R.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	6pCmlKafCF.hta	Get hash	malicious	Cobalt Strike, MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	1b3pICGT3V.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	TpDkwibRvg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	WTGK44DBns.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	New order.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	Q202507200854.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	SecuriteInfo.com.Win32.MalwareX-gen.17302.21297.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.96.1
	PROCESO.3.1.305884.20250207.2025020715301400000008.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.96.1

Process:	C:\Users\user\Desktop\smss (2).exe
File Type:	data
Category:	dropped
Size (bytes):	11414
Entropy (8bit):	7.632684147231715
Encrypted:	false
SSDEEP:	192:8JWqkAkpDQTiOXd10nnGnTlE7FrOy3gC8FrrGtVIrzc4:8/344zN10nngTlAVOjVpGWzf
MD5:	FD88DBE40D3662D01DD320E04B91424C
SHA1:	57E6F1E422F5A1146B5920134A5138925A4349A5
SHA-256:	C67747DDB5069AE955B3E66D3FAB0C3E9E2D494E715E154926B8CFC6772D3E23
SHA-512:	DF0779694A20F24A846AC11D20CEBCAEED39F079B43C3A6B34E239FDB523751E1A7024A0905DA58A73870A101FF6891D9DF4898356F17D696ED8D3B99F7974C8
Malicious:	false
Reputation:	low
Preview:	EA06.....^&3...c4..'3I..i4.Lg3...B...f3... .....n..M..0."o4.....7..'3...j...f.......$.&.P.,M&.....#....$...h....&.....P....4 .....lfS..O..............lg....e3.........b.V..>....->...N@6?I.......@........T}3......M....a..O.....@..7..............@$ ...C..0..$ .@.C.....$ @.C.....$....C....?.$. ....a..\|.9...B\|Sp.O.....2..... ......05O..:...........=..~@.D..S..$&@j...!4.T....5O......\|...'..F.d.....l@.>.....yM..>.....!..z\|`:...C..z\|`....C..z\|..!...A..:\|.C.X..&.\|.........................0...'..Y.)L..}`R...c .H...0......0..................g....=.. }`....fa..h.!4..........3. .l>...f....\|.........hh...h~...F.....f~s ....}. ...z>.F.@i>.......l.F....L.6?P......o@.@.!7.h..6.p.%3 w..EA,... .(.@.34...%g..6....x.C.......XB?0....@}14.....@......"..B..&...........X@..0...1...!~..F.....'.....T.......a ..p.......#s....`.a..@S..Jf....fb.....nf.a.L.,> ......Yd.#S`!.......f`,....*..1S0...A.6....,>......).G....nr...L.,>.........`.....l41......T.....2....$.k.c....}.P...j..... .....!..G.4

C:\Users\user\AppData\Local\Temp\aut639.tmp

Download File

Process:	C:\Users\user\Desktop\smss (2).exe
File Type:	data
Category:	dropped
Size (bytes):	70020
Entropy (8bit):	7.922435218163944
Encrypted:	false
SSDEEP:	1536:gKaeY8VVOpX6p+dhZ4iGS9733nNPGkeB008iIcBUL7/kB7iB7vZ7amdrb:gI3iBTuiGU7H08FcBW/kBeB7vZ7Rh
MD5:	4D2979916CF8D47A889EAC677CF0D437
SHA1:	786831F4DB237EDCD53D60DDB24E989A9317C0A3
SHA-256:	DF18CFB3E67878C5E7364D0740BBC4675649E5CEB85B00EB1AF36E4C5D699092
SHA-512:	08205166DF9EEE0DAA85D0506534A2C4EF817B19B269366C803A2CBF819A40A54C8F90861E58EF3F26AD5BAD42EE6102166C6866718B48A37FB3847A697F55DC
Malicious:	false
Reputation:	low
Preview:	EA06..n..Dt.j..B..&3...T.Ni.:..oG....r...R......_4...p@...s.6..._...g...".....1.U.....1T.IkS.dJa'...{T._t.]..9}^."..ku(...b.J...L.P.5....s]..".J..'4.=.q7..9...g6...18../.z=..\..\`....P.W.L.....Pf...6.B.I...D.R...D.?.n.....}TZ.Jz...a(.I.....).....K.W...\.Ni.......J.....V.:.`.\..\p..@..5$..& ...x..}'3.m..........s...+..D.iV....I...T.Ui..?..c9..\\|}..`.........qK.../\.A.\,t.%.!....`....a...........G......J... ..y..,`....\.."....N..M..J...0..%@..............I.....R.](U.dFsJ.Po.jU..B.m...JW..P.\|I..@.]...?..8......bq.Vh.ZU..A.n'....%m..9T...Y._&3........:.J#G..-...b.s.Lg[J...8.Y.4)....\....f.7.....d.C.n'.z\..F.^.5.$.'h.T....h.Rj`...ex.I.3..:.A.F.....y...b.\|.F.Q#s....&.Mi.:.^.G.....J.q..).K].qG....YG....^/..e.sJ.Po....%...`.j...E........9.....x.)%.."..$......?J...7...j......'6(H.+e....=..V.MV...c?.["uI...k..&..\z.X.^.....G._g..M..E..s0.Bsu.Lg.)..)....@.."....4..^s1..77...;......J.[.L..%eBu=.@(S....4.i..z.f.3.M.....w3.P....ziV.L(..x..`.W..[.6.C...@(E....

C:\Users\user\AppData\Local\Temp\pluffer

Download File

Process:	C:\Users\user\Desktop\smss (2).exe
File Type:	ASCII text, with very long lines (57350), with no line terminators
Category:	dropped
Size (bytes):	57350
Entropy (8bit):	2.4411646206400683
Encrypted:	false
SSDEEP:	768:h6qLIWYmv7SvsY7OqSL79WWt6ZMJ+o5yJUcL0VuuSMzJeJ5Jei6EJJfJcQTcql:h6qGmv7QsY7OqSFWr
MD5:	A95FB0F7E3BCB87983D72AF05587B108
SHA1:	4BFB418103972BE2AFFBB1DA6254D176C485B6DD
SHA-256:	A42BD684EFE9677C08219349FC504FC5F283E7F7F74CB758200843B0BE09E23D
SHA-512:	6058DDABE14E18DD3E778662AC606361CB443F35C6290C39C3D67F612E156AA652F3743B0AF63982B4A68D9A20E0DDE0B80670FC3B5A02DF9B7BD9D5C4B9CEF9
Malicious:	false
Reputation:	low
Preview:	0x11591414194344421910444242421113111111111417141643191743111111111111171719181514191543181714111111111111171719181545191743401613111111111111171719181414191943191744111111111111171719181514194043181714111111111111171719181545194243401742111111111111171719181414194443191212111111111111171719181514181143181213111111111111171719181545181343401344111111111111171719181414181543191715111111111111171719181514181743181742111111111111171719181545181943401742111111111111171719181414184012124211171719181514184243181744111111111111171719181945151547474747474743401615111111111111171719181814151747474747474743191715111111111111171719181914151947474747474743181742111111111111171719181945154047474747474743401742111111111111171719181814154247474747474743191344111111111111171719181914154447474747474743181715111111111111171719181945141147474747474743401742111111111111171719181814141347474747474743191742111111111111171719181914141547474747474712124218171719181945141747474747474743401614111111111111171719

C:\Users\user\AppData\Local\Temp\vehiculation

Download File

Process:	C:\Users\user\Desktop\smss (2).exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.906701359718243
Encrypted:	false
SSDEEP:	1536:HeALtQu9Z1h3s655VpJfppI4NDK1uXnkDGit33lHUHHQoSHH8HIH8NXA/DN:+AX9Z1Js65dDt3kntHlHUHHQoSHH8HI5
MD5:	ADDFC35B07D6EEEC6F81D2B93BCDF061
SHA1:	DB9718734AE4C8B19DD91724A4A134285BF88FD1
SHA-256:	29D526DD07C0ECC52011D22CA37BA7297D1E4B36FF36A70B3C4F0EEE9AA7FCEE
SHA-512:	77C7D1E63380914B164335B2DA479B4FC4C7C19024A24F53347390A6355434032F5FDF81DDC051760D6B6B73FAE584A6B7DA3CA49A47CB80ACF6936909483C1B
Malicious:	false
Reputation:	low
Preview:	...V[2RB]D19..AT.9MCB87G.4VX2RBYD19JDAT89MCB87GK4VX2RBYD19JD.T89C\.67.B.w.3..x.YP9d1&W^?"/.T&%Z9,.0'y6DWj-/t\|v.c/WS"e9[R.RBYD19J..T8uL@B.Y..4VX2RBYD.9HEJUh9M'C87OK4VX2R..E19jDAT.8MCBx7Gk4VX0RB]D19JDAT>9MCB87GK.WX2PBYD19JFA4.9MSB8'GK4VH2RRYD19JDQT89MCB87GK4..3R.YD19.EA.=9MCB87GK4VX2RBYD19J.@T49MCB87GK4VX2RBYD19JDAT89MCB87GK4VX2RBYD19JDAT89MCB87gK4^X2RBYD19JDA\.9M.B87GK4VX2RBw0TA>DAT.[LCB.7GKPWX2PBYD19JDAT89MCB.7G+.$+@1BYD.<JDA.99MEB87!J4VX2RBYD19JDA.89.m0][((4VT2RBY.09JFAT8ULCB87GK4VX2RBY.19.DAT89MCB87GK4VX2..XD19JD.T89OCG8K.K4..2RAYD1cJDG..9M.B87GK4VX2RBYD19JDAT89MCB87GK4VX2RBYD19JDAT8.0.M..."G..2RBYD18HGER01MCB87GK4(X2R.YD1yJDAc89MfB87K4V\|2RB'D194DAT\9MC087G4VXuRBY+19JAT8GMCB&5oT4VR.tB[l.9JNA~.JlCB2.FK4R+.RBS.39J@2w89G.A87C8.VX8.FYD5JoDA^.<MCF.mGH.@^2RY6\|19@DB.-?MCY..GI.oX2XBsb1:.QGT8"gaB:.NK4Rrd!_YD7..DA^L0MC@.=GK0\|F0z.YD;.h:RT8=fCh.ISK4Rs2x`'Q19NoA~.G[CB<.Ga.(O2RFrD.?`&A&.5M3AWVGK2~.2RHq.19LDkn8GCCB<5(.4VR.xxYla9JBA\|i9MEB..G5.VX6~E'w19NoW.9MG.>OGK2%.2RH\|..9J@i.89GCh.7o.4V^2z.YD7

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.817836503201098
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	smss (2).exe
File size:	950'784 bytes
MD5:	a9a05d451c24858918183c1e7271a306
SHA1:	e9ea72f8b86886be421da90c131659d6ebb9483f
SHA256:	d878f6aa5cc41db62f6b2c3466cbec5d792eaf8f77b2ea1e779e7925f267be52
SHA512:	ccd15a0fa3532c888845f05b392122fa64474434d9d34b5311e08c839b24a6740ff660c5224a23ad16681d20dac9d1112ecc1710835a516ef4adfc4f8874f715
SSDEEP:	24576:Tu6J33O0c+JY5UZ+XC0kGso6FaiQ5PAWY:9u0c++OCvkGs9FaiQ57Y
TLSH:	A615AE2273DDC360CB669173BF6AB7016EBF3C614630B85B2F980D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67F604D0 [Wed Apr 9 05:25:36 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F304882D4BAh
jmp 00007F3048820284h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F304882040Ah
cmp edi, eax
jc 00007F304882076Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F3048820409h
rep movsb
jmp 00007F304882071Ch
cmp ecx, 00000080h
jc 00007F30488205D4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F3048820410h
bt dword ptr [004BE324h], 01h
jc 00007F30488208E0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F30488205ADh
test edi, 00000003h
jne 00007F30488205BEh
test esi, 00000003h
jne 00007F304882059Dh
bt edi, 02h
jnc 00007F304882040Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F3048820413h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F3048820465h
bt esi, 03h
jnc 00007F30488204B8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x1f838	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe7000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x1f838	0x1fa00	25173cf3162544ac6de0e05a734e54ee	False	0.7889312623517787	data	7.505022401870191	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe7000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x16b00	data			1.000387396694215
RT_GROUP_ICON	0xe62b8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe6330	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe6344	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe6358	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe636c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe6448	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Version Infos

Description	Data
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-13T10:58:29.242684+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49692	193.122.130.0	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 13, 2025 10:58:28.820667028 CEST	49692	80	192.168.2.5	193.122.130.0
Apr 13, 2025 10:58:28.940154076 CEST	80	49692	193.122.130.0	192.168.2.5
Apr 13, 2025 10:58:28.940272093 CEST	49692	80	192.168.2.5	193.122.130.0
Apr 13, 2025 10:58:28.940526962 CEST	49692	80	192.168.2.5	193.122.130.0
Apr 13, 2025 10:58:29.060107946 CEST	80	49692	193.122.130.0	192.168.2.5
Apr 13, 2025 10:58:29.062354088 CEST	80	49692	193.122.130.0	192.168.2.5
Apr 13, 2025 10:58:29.065884113 CEST	49692	80	192.168.2.5	193.122.130.0
Apr 13, 2025 10:58:29.188179016 CEST	80	49692	193.122.130.0	192.168.2.5
Apr 13, 2025 10:58:29.242683887 CEST	49692	80	192.168.2.5	193.122.130.0
Apr 13, 2025 10:58:29.299506903 CEST	49693	443	192.168.2.5	104.21.96.1
Apr 13, 2025 10:58:29.299561024 CEST	443	49693	104.21.96.1	192.168.2.5
Apr 13, 2025 10:58:29.299627066 CEST	49693	443	192.168.2.5	104.21.96.1
Apr 13, 2025 10:58:29.306260109 CEST	49693	443	192.168.2.5	104.21.96.1
Apr 13, 2025 10:58:29.306274891 CEST	443	49693	104.21.96.1	192.168.2.5
Apr 13, 2025 10:58:29.539294004 CEST	443	49693	104.21.96.1	192.168.2.5
Apr 13, 2025 10:58:29.539386034 CEST	49693	443	192.168.2.5	104.21.96.1
Apr 13, 2025 10:58:29.544615030 CEST	49693	443	192.168.2.5	104.21.96.1
Apr 13, 2025 10:58:29.544634104 CEST	443	49693	104.21.96.1	192.168.2.5
Apr 13, 2025 10:58:29.545130968 CEST	443	49693	104.21.96.1	192.168.2.5
Apr 13, 2025 10:58:29.586467981 CEST	49693	443	192.168.2.5	104.21.96.1
Apr 13, 2025 10:58:29.589809895 CEST	49693	443	192.168.2.5	104.21.96.1
Apr 13, 2025 10:58:29.632317066 CEST	443	49693	104.21.96.1	192.168.2.5
Apr 13, 2025 10:58:29.795994997 CEST	443	49693	104.21.96.1	192.168.2.5
Apr 13, 2025 10:58:29.796168089 CEST	443	49693	104.21.96.1	192.168.2.5
Apr 13, 2025 10:58:29.796222925 CEST	49693	443	192.168.2.5	104.21.96.1
Apr 13, 2025 10:58:29.803592920 CEST	49693	443	192.168.2.5	104.21.96.1
Apr 13, 2025 10:59:34.187776089 CEST	80	49692	193.122.130.0	192.168.2.5
Apr 13, 2025 10:59:34.187978029 CEST	49692	80	192.168.2.5	193.122.130.0
Apr 13, 2025 11:00:09.196650982 CEST	49692	80	192.168.2.5	193.122.130.0
Apr 13, 2025 11:00:09.318857908 CEST	80	49692	193.122.130.0	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 13, 2025 10:58:28.707523108 CEST	50638	53	192.168.2.5	1.1.1.1
Apr 13, 2025 10:58:28.814640999 CEST	53	50638	1.1.1.1	192.168.2.5
Apr 13, 2025 10:58:29.189456940 CEST	59211	53	192.168.2.5	1.1.1.1
Apr 13, 2025 10:58:29.298947096 CEST	53	59211	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 13, 2025 10:58:28.707523108 CEST	192.168.2.5	1.1.1.1	0x5cef	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:29.189456940 CEST	192.168.2.5	1.1.1.1	0x830c	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 13, 2025 10:58:24.091594934 CEST	1.1.1.1	192.168.2.5	0x2c4d	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:24.091594934 CEST	1.1.1.1	192.168.2.5	0x2c4d	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:28.814640999 CEST	1.1.1.1	192.168.2.5	0x5cef	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 13, 2025 10:58:28.814640999 CEST	1.1.1.1	192.168.2.5	0x5cef	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:28.814640999 CEST	1.1.1.1	192.168.2.5	0x5cef	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:28.814640999 CEST	1.1.1.1	192.168.2.5	0x5cef	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:28.814640999 CEST	1.1.1.1	192.168.2.5	0x5cef	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:28.814640999 CEST	1.1.1.1	192.168.2.5	0x5cef	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:29.298947096 CEST	1.1.1.1	192.168.2.5	0x830c	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:29.298947096 CEST	1.1.1.1	192.168.2.5	0x830c	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:29.298947096 CEST	1.1.1.1	192.168.2.5	0x830c	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:29.298947096 CEST	1.1.1.1	192.168.2.5	0x830c	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:29.298947096 CEST	1.1.1.1	192.168.2.5	0x830c	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:29.298947096 CEST	1.1.1.1	192.168.2.5	0x830c	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Apr 13, 2025 10:58:29.298947096 CEST	1.1.1.1	192.168.2.5	0x830c	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49692	193.122.130.0	80	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 13, 2025 10:58:28.940526962 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 13, 2025 10:58:29.062354088 CEST	323	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 08:58:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5dfd032413d87e31ad40f89ce96610cf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 89.187.171.161</body></html>
Apr 13, 2025 10:58:29.065884113 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 13, 2025 10:58:29.188179016 CEST	323	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 08:58:29 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7b85d292a72790fe1541904467f54be0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 89.187.171.161</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49693	104.21.96.1	443	7392	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-13 08:58:29 UTC	87	OUT	GET /xml/89.187.171.161 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-04-13 08:58:29 UTC	882	IN	HTTP/1.1 200 OK Date: Sun, 13 Apr 2025 08:58:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 158443 Last-Modified: Fri, 11 Apr 2025 12:57:46 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v4UvGIUVskU4dh705A9txD8sI5d%2FM6LEFUMzze1Dsi9C15xHr3hxwVMAG9L4lXltce4pXZOehbJWiZHWHTxzHd8A0Dh%2BHNGBPik7%2FY%2BHPs948ax2KQJxAzw78SDsvrFvEQfIOzKs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92f9c30fc934b03d-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=106106&min_rtt=106082&rtt_var=22398&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2848&recv_bytes=701&delivery_rate=38042&cwnd=252&unsent_bytes=0&cid=5c41e60abb829941&ts=276&x=0"
2025-04-13 08:58:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 47 41 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 47 65 6f 72 67 69 61 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 41 74 6c 61 6e 74 61 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 33 30 33 30 31 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>89.187.171.161</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>GA</RegionCode><RegionName>Georgia</RegionName><City>Atlanta</City><ZipCode>30301</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	04:58:25
Start date:	13/04/2025
Path:	C:\Users\user\Desktop\smss (2).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\smss (2).exe"
Imagebase:	0x130000
File size:	950'784 bytes
MD5 hash:	A9A05D451C24858918183C1E7271A306
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1339327896.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:58:26
Start date:	13/04/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\smss (2).exe"
Imagebase:	0xc50000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2568148003.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2569009214.0000000003186000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report smss (2).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut33A.tmp

C:\Users\user\AppData\Local\Temp\aut639.tmp

C:\Users\user\AppData\Local\Temp\pluffer

C:\Users\user\AppData\Local\Temp\vehiculation

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
smss (2).exe