Windows Analysis Report
f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe

Overview

General Information

Sample name: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe
Analysis ID: 1464957
MD5: ae65828171d12dbd2817503f7c230d22
SHA1: 3822837f216fca0e57ad17c799965492efc1f336
SHA256: c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527
Tags: exe
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.4552428555.00000000025C1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "rightlut@valleycountysar.org", "Password": "fY,FLoadtsiF", "Host": "valleycountysar.org", "Port": "26"}
Multi AV Scanner detection for submitted file
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49712 version: TLS 1.0
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 023CF1F6h 0_2_023CF007
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 023CFB80h 0_2_023CF007
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 0_2_023CE528
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 0_2_023CEB5B
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 0_2_023CED3C
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BE1A38h 0_2_04BE1620
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BE02F1h 0_2_04BE0040
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BE1471h 0_2_04BE11C0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEE759h 0_2_04BEE4B0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BE0751h 0_2_04BE04A0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEB791h 0_2_04BEB4E8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEDEA9h 0_2_04BEDC00
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEC041h 0_2_04BEBD98
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BE1011h 0_2_04BE0D60
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEF009h 0_2_04BEED60
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BED1A1h 0_2_04BECEF8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEF8B9h 0_2_04BEF610
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BE1A38h 0_2_04BE1610
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEC8F1h 0_2_04BEC648
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEDA51h 0_2_04BED7A8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEE301h 0_2_04BEE058
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEF461h 0_2_04BEF1B8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEC499h 0_2_04BEC1F0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEEBB1h 0_2_04BEE908
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BE0BB1h 0_2_04BE0900
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BE1A38h 0_2_04BE1966
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEBBE9h 0_2_04BEB940
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BECD49h 0_2_04BECAA0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BEFD11h 0_2_04BEFA68
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 04BED5F9h 0_2_04BED350
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A8945h 0_2_051A8608
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A7BA9h 0_2_051A7900
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A8001h 0_2_051A7D58
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A0FF1h 0_2_051A0D48
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A5441h 0_2_051A5198
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A8459h 0_2_051A81B0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A72FAh 0_2_051A7050
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A02E9h 0_2_051A0040
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A0741h 0_2_051A0498
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A7751h 0_2_051A74A8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A0B99h 0_2_051A08F0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A65C9h 0_2_051A6320
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A6A21h 0_2_051A6778
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 0_2_051A33B8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 0_2_051A33A8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A6E79h 0_2_051A6BD0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A58C1h 0_2_051A5618
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A5D19h 0_2_051A5A70
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then jmp 051A6171h 0_2_051A5EC8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 0_2_051A36CE

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE
Source: Yara match File source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49712 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000276A000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002714000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002681000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002778000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000273D000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000272F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000276A000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002714000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002681000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000274A000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002778000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000273D000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000272F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.00000000025C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe String found in binary or memory: http://checkip.dyndns.org/q
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000276A000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002714000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002778000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000273D000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002699000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000272F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.00000000025C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4554012542.0000000005CC4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.cR
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000276A000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002714000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002681000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002778000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000273D000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000272F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000272F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000276A000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.00000000026C4000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002714000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002778000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000273D000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000272F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000000.2098038490.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000000.2098038490.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe PID: 3476, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe PID: 3476, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CF007 0_2_023CF007
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C6108 0_2_023C6108
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CC19F 0_2_023CC19F
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C6730 0_2_023C6730
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CC751 0_2_023CC751
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CC470 0_2_023CC470
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CB4FF 0_2_023CB4FF
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C3570 0_2_023C3570
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CCA31 0_2_023CCA31
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C4AD9 0_2_023C4AD9
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CBBDF 0_2_023CBBDF
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C9858 0_2_023C9858
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CBEBF 0_2_023CBEBF
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CE528 0_2_023CE528
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CE517 0_2_023CE517
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE8460 0_2_04BE8460
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE3870 0_2_04BE3870
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE0040 0_2_04BE0040
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE11C0 0_2_04BE11C0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE7B70 0_2_04BE7B70
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEE4B0 0_2_04BEE4B0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE04A0 0_2_04BE04A0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEE4A0 0_2_04BEE4A0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE0490 0_2_04BE0490
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEB4E8 0_2_04BEB4E8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEB4D7 0_2_04BEB4D7
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEDC00 0_2_04BEDC00
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEBD98 0_2_04BEBD98
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE7D90 0_2_04BE7D90
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEBD88 0_2_04BEBD88
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE0D60 0_2_04BE0D60
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEED60 0_2_04BEED60
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEED50 0_2_04BEED50
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE0D51 0_2_04BE0D51
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BECEF8 0_2_04BECEF8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BECEEB 0_2_04BECEEB
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEC638 0_2_04BEC638
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEF610 0_2_04BEF610
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEF600 0_2_04BEF600
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEC648 0_2_04BEC648
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BED7A8 0_2_04BED7A8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BED798 0_2_04BED798
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEE8F8 0_2_04BEE8F8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE08F0 0_2_04BE08F0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE3860 0_2_04BE3860
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEE058 0_2_04BEE058
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEE04B 0_2_04BEE04B
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEF1B8 0_2_04BEF1B8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE11B0 0_2_04BE11B0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEF1A9 0_2_04BEF1A9
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEC1F0 0_2_04BEC1F0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEC1E0 0_2_04BEC1E0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEB930 0_2_04BEB930
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEE908 0_2_04BEE908
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE0900 0_2_04BE0900
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEB940 0_2_04BEB940
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BECAA0 0_2_04BECAA0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEFA68 0_2_04BEFA68
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEFA59 0_2_04BEFA59
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BEDBF1 0_2_04BEDBF1
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE73E8 0_2_04BE73E8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE73D8 0_2_04BE73D8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BED350 0_2_04BED350
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BED340 0_2_04BED340
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051ABD38 0_2_051ABD38
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AC9D8 0_2_051AC9D8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AA408 0_2_051AA408
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AD028 0_2_051AD028
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AB0A0 0_2_051AB0A0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A8B58 0_2_051A8B58
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AC388 0_2_051AC388
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A8608 0_2_051A8608
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AAA58 0_2_051AAA58
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AD670 0_2_051AD670
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AB6E8 0_2_051AB6E8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A7900 0_2_051A7900
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A0D39 0_2_051A0D39
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051ABD28 0_2_051ABD28
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A7D58 0_2_051A7D58
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A0D48 0_2_051A0D48
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A7D48 0_2_051A7D48
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A5198 0_2_051A5198
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A1191 0_2_051A1191
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A518B 0_2_051A518B
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A81B0 0_2_051A81B0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A11A0 0_2_051A11A0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A81A0 0_2_051A81A0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AC9C8 0_2_051AC9C8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A85FC 0_2_051A85FC
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AD018 0_2_051AD018
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A2809 0_2_051A2809
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A0006 0_2_051A0006
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A2807 0_2_051A2807
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A4430 0_2_051A4430
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A7050 0_2_051A7050
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A0040 0_2_051A0040
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A7040 0_2_051A7040
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A0498 0_2_051A0498
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A7497 0_2_051A7497
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A0488 0_2_051A0488
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AB08F 0_2_051AB08F
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A28B0 0_2_051A28B0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A74A8 0_2_051A74A8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A08F0 0_2_051A08F0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A78F0 0_2_051A78F0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A08E0 0_2_051A08E0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A6313 0_2_051A6313
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A3730 0_2_051A3730
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A6320 0_2_051A6320
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A6778 0_2_051A6778
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AC378 0_2_051AC378
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A676B 0_2_051A676B
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A33B8 0_2_051A33B8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A33A8 0_2_051A33A8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A6BD0 0_2_051A6BD0
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A6BC1 0_2_051A6BC1
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AA3F8 0_2_051AA3F8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A5618 0_2_051A5618
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A560B 0_2_051A560B
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AAA48 0_2_051AAA48
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A5A70 0_2_051A5A70
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AD662 0_2_051AD662
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A5A60 0_2_051A5A60
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A5EB8 0_2_051A5EB8
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051AB6D9 0_2_051AB6D9
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_051A5EC8 0_2_051A5EC8
Sample file is different than original file name gathered from version info
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4551650348.00000000006DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4551504344.00000000003D7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000000.2098038490.0000000000222000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe
Uses 32bit PE files
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000000.2098038490.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000000.2098038490.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe PID: 3476, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe PID: 3476, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, ----.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.winEXE@1/0@2/2
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Mutant created: NULL
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002835000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4553257458.0000000003649000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.0000000002842000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.000000000280E000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.00000000027EF000.00000004.00000800.00020000.00000000.sdmp, f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4552428555.00000000027FF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe ReversingLabs: Detection: 68%
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe String found in binary or memory: F-Stopw
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CB328 push ebp; retf 0_2_023CB4FE
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CD308 push esp; retf 0_2_023CD316
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CC197 push ebp; retf 0_2_023CC19E
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CD60F push ebx; retf 0_2_023CD61E
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C16D8 push edx; retf 0_2_023C16E6
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C07B0 push ebp; retf 0_2_023C07BA
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C07D9 push edi; retf 0_2_023C07DA
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C17C8 push edx; retf 0_2_023C17D6
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C07C0 push ebp; retf 0_2_023C07CA
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CB4F3 push ebp; retf 0_2_023CB4FE
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CBBD3 push ebp; retf 0_2_023CBBDE
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C18B8 push ebx; retf 0_2_023C18C6
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023C1918 push ebx; retf 0_2_023C1926
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CBEB4 push esp; retf 0_2_023CBEBE
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_023CDF79 push ebx; retf 0_2_023CDF86
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE2E78 push esp; iretd 0_2_04BE2E79
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Memory allocated: 2360000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Memory allocated: 25C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Memory allocated: 23E0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599055 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598951 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598016 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597891 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597672 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597549 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597313 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596953 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596844 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596497 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596391 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596172 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596061 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595732 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595516 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595391 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595281 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595172 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594813 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594688 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594464 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594360 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Window / User API: threadDelayed 1839 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Window / User API: threadDelayed 8010 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 4136 Thread sleep count: 1839 > 30 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 4136 Thread sleep count: 8010 > 30 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -599055s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -598951s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -598719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -598610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -598469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -598360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -598250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -598141s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -598016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -597891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -597781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -597672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -597549s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -597422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -597313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -597188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -597063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -596953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -596844s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -596719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -596497s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -596391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -596281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -596172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -596061s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -595843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -595732s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -595625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -595516s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -595391s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -595281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -595172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -595063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -594938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -594813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -594688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -594578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -594464s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe TID: 1468 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 599055 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598951 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598250 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 598016 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597891 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597672 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597549 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597313 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596953 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596844 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596497 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596391 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596172 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 596061 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595732 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595516 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595391 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595281 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595172 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594813 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594688 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594464 Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Thread delayed: delay time: 594360 Jump to behavior
Source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, 00000000.00000002.4551650348.0000000000749000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Code function: 0_2_04BE7B70 LdrInitializeThunk, 0_2_04BE7B70
Enables debug privileges
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Queries volume information: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE
Source: Yara match File source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4552428555.0000000002786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2098038490.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4552428555.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe PID: 3476, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE
Source: Yara match File source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2098038490.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe PID: 3476, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe, type: SAMPLE
Source: Yara match File source: 0.0.f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4552428555.0000000002786000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2098038490.0000000000222000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4552428555.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exe PID: 3476, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • Avira URL Cloud: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • Avira URL Cloud: safe
 unknown