Windows Analysis Report
PO#7889296.exe

Overview

General Information

Sample name:	PO#7889296.exe
Analysis ID:	1650618
MD5:	1312de280df9f1a993e4c3d93764010b
SHA1:	8021cc971121660193bf049ad4e20db1421b73f2
SHA256:	f406a0fd055028ed41cfbc96b9bffb575e14272b26cb5091c7a16f35d15c821b
Tags:	exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Binary is likely a compiled AutoIt script file

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

One or more processes crash

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Signatures

AV Detection

Found malware configuration

Source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7939905545:AAGZ8bMeWRWU5UEZdgj90fd6BDk9K4EMabA/sendMessage?chat_id=7000018009", "Token": "7939905545:AAGZ8bMeWRWU5UEZdgj90fd6BDk9K4EMabA", "Chat_id": "7000018009", "Version": "5.1"}

Multi AV Scanner detection for submitted file

Source: PO#7889296.exe	Virustotal: Detection: 38%			Perma Link
Source: PO#7889296.exe	ReversingLabs: Detection: 61%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 95.2%

Sample uses string decryption to hide its real strings

Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor:
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: 7939905545:AAGZ8bMeWRWU5UEZdgj90fd6BDk9K4EMabA
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: 7000018009

Uses 32bit PE files

Source: PO#7889296.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbSystem.ni.dll source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO#7889296.exe, 00000000.00000003.875821730.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.873680544.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbA source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO#7889296.exe, 00000000.00000003.875821730.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.873680544.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.000000000137C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbs source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbt source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: o.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb]g1) source: RegSvcs.exe, 00000002.00000002.943036497.000000000137C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdbsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: RegSvcs.exe, 00000002.00000002.946966451.00000000064B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdbw source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb/ source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DB445A
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBC6D1 FindFirstFileW,FindClose,	0_2_00DBC6D1
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DBC75C
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBEF95
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBF0F2
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBF3F3
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB37EF
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB3B12
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBBCBC

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 158.101.44.242 158.101.44.242

May check the online IP address of the machine

Source: unknown

DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DC22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00DC22EE

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: checkip.dyndns.org

Source: RegSvcs.exe, 00000002.00000002.945649160.0000000003139000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.945649160.0000000003126000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.945649160.0000000003139000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.945649160.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PO#7889296.exe, 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.945649160.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: PO#7889296.exe, 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00DC4164

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00DC4164

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DC3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00DC3F66

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DB001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00DB001C

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DDCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00DDCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00D53B3A
Source: PO#7889296.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PO#7889296.exe, 00000000.00000002.876391115.0000000000E04000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0ba8df37-a
Source: PO#7889296.exe, 00000000.00000002.876391115.0000000000E04000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_c856d7ed-2
Source: PO#7889296.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_463e7086-0
Source: PO#7889296.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3aa6a49f-a

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO#7889296.exe

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DBA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00DBA1EF

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DA8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00DA8310

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DB51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00DB51BD

Detected potential crypto function

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D5E6A0	0_2_00D5E6A0
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7D975	0_2_00D7D975
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D5FCE0	0_2_00D5FCE0
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D721C5	0_2_00D721C5
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D862D2	0_2_00D862D2
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DD03DA	0_2_00DD03DA
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D8242E	0_2_00D8242E
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D725FA	0_2_00D725FA
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D666E1	0_2_00D666E1
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DAE616	0_2_00DAE616
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D8878F	0_2_00D8878F
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB8889	0_2_00DB8889
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DD0857	0_2_00DD0857
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D86844	0_2_00D86844
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D68808	0_2_00D68808
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7CB21	0_2_00D7CB21
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D86DB6	0_2_00D86DB6
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D66F9E	0_2_00D66F9E
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D63030	0_2_00D63030
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7F1D9	0_2_00D7F1D9
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D73187	0_2_00D73187
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D51287	0_2_00D51287
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D71484	0_2_00D71484
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D65520	0_2_00D65520
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D77696	0_2_00D77696
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D65760	0_2_00D65760
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D71978	0_2_00D71978
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D89AB5	0_2_00D89AB5
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DD7DDB	0_2_00DD7DDB
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D71D90	0_2_00D71D90
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7BDA6	0_2_00D7BDA6
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D63FE0	0_2_00D63FE0
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D5DF00	0_2_00D5DF00
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_019429D8	0_2_019429D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0131330F	2_2_0131330F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01313572	2_2_01313572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0131300F	2_2_0131300F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_013130B1	2_2_013130B1

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: String function: 00D78900 appears 42 times
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: String function: 00D57DE1 appears 35 times
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: String function: 00D70AE3 appears 70 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1476

Sample file is different than original file name gathered from version info

Source: PO#7889296.exe, 00000000.00000003.873561571.0000000004103000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO#7889296.exe
Source: PO#7889296.exe, 00000000.00000003.874033437.00000000042AD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO#7889296.exe
Source: PO#7889296.exe, 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PO#7889296.exe

Uses 32bit PE files

Source: PO#7889296.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, ---.cs

Base64 encoded string: 'O6mfJ0hBC53+hk+N4Tzu6TRtFbdL3qod2Mr8IiV/ENJs+CZ6C7FqzyET0mCRJWTd'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@1/1

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DBA06A GetLastError,FormatMessageW,

0_2_00DBA06A

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DA81CB AdjustTokenPrivileges,CloseHandle,		0_2_00DA81CB
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DA87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00DA87E1

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DBB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00DBB3FB

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DCEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00DCEE0D

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DBC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00DBC397

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D54E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00D54E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2916

Source: C:\Users\user\Desktop\PO#7889296.exe

File created: C:\Users\user\AppData\Local\Temp\aut2E7E.tmp

Jump to behavior

Source: PO#7889296.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO#7889296.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO#7889296.exe	Virustotal: Detection: 38%
Source: PO#7889296.exe	ReversingLabs: Detection: 61%

Source: unknown	Process created: C:\Users\user\Desktop\PO#7889296.exe "C:\Users\user\Desktop\PO#7889296.exe"
Source: C:\Users\user\Desktop\PO#7889296.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PO#7889296.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1476
Source: C:\Users\user\Desktop\PO#7889296.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PO#7889296.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PO#7889296.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbSystem.ni.dll source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO#7889296.exe, 00000000.00000003.875821730.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.873680544.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbA source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO#7889296.exe, 00000000.00000003.875821730.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.873680544.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.000000000137C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbs source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbt source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: o.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb]g1) source: RegSvcs.exe, 00000002.00000002.943036497.000000000137C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdbsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: RegSvcs.exe, 00000002.00000002.946966451.00000000064B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdbw source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb/ source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr

Source: PO#7889296.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO#7889296.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO#7889296.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO#7889296.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO#7889296.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D54B37 LoadLibraryA,GetProcAddress,

0_2_00D54B37

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D78945 push ecx; ret

0_2_00D78958

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00D548D7
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DD5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00DD5376

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D73187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00D73187

Source: C:\Users\user\Desktop\PO#7889296.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PO#7889296.exe

API/Special instruction interceptor: Address: 19425FC

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PO#7889296.exe, 00000000.00000003.864698874.0000000001986000.00000004.00000020.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.867183439.0000000001986000.00000004.00000020.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.866487700.0000000001986000.00000004.00000020.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.864148564.0000000001986000.00000004.00000020.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.867554552.0000000001986000.00000004.00000020.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.864073925.0000000001957000.00000004.00000020.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000002.876874229.0000000001986000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCESSHACKER.EXE

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\PO#7889296.exe

API coverage: 4.4 %

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DB445A
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBC6D1 FindFirstFileW,FindClose,	0_2_00DBC6D1
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DBC75C
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBEF95
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBF0F2
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBF3F3
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB37EF
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB3B12
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBBCBC

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D549A0

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegSvcs.exe, 00000002.00000002.943036497.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw~N
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DC3F09 BlockInput,

0_2_00DC3F09

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D53B3A

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D85A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00D85A7C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D54B37 LoadLibraryA,GetProcAddress,

0_2_00D54B37

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_01941208 mov eax, dword ptr fs:[00000030h]	0_2_01941208
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_019428C8 mov eax, dword ptr fs:[00000030h]	0_2_019428C8
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_01942868 mov eax, dword ptr fs:[00000030h]	0_2_01942868

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DA80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00DA80A9

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00D7A155
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7A124 SetUnhandledExceptionFilter,		0_2_00D7A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PO#7889296.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO#7889296.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F2C008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DA87B1 LogonUserW,

0_2_00DA87B1

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D53B3A

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00D548D7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DB4C53 mouse_event,

0_2_00DB4C53

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO#7889296.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PO#7889296.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DA7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00DA7CAF

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DA874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00DA874B

Source: PO#7889296.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PO#7889296.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D7862B cpuid

0_2_00D7862B

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D84E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D84E87

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D91E06 GetUserNameW,

0_2_00D91E06

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D83F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00D83F3A

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D549A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.945649160.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: PO#7889296.exe	Binary or memory string: WIN_81
Source: PO#7889296.exe	Binary or memory string: WIN_XP
Source: PO#7889296.exe	Binary or memory string: WIN_XPe
Source: PO#7889296.exe	Binary or memory string: WIN_VISTA
Source: PO#7889296.exe	Binary or memory string: WIN_7
Source: PO#7889296.exe	Binary or memory string: WIN_8
Source: PO#7889296.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.945649160.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DC6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00DC6283
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DC6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00DC6747

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

Contacted Domains

Name	IP	Active
checkip.dyndns.com	158.101.44.242	true
checkip.dyndns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high

AV Detection

Found malware configuration

Source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: PO#7889296.exe	Virustotal: Detection: 38%			Perma Link
Source: PO#7889296.exe	ReversingLabs: Detection: 61%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 95.2%

Sample uses string decryption to hide its real strings

Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor:
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: 7939905545:AAGZ8bMeWRWU5UEZdgj90fd6BDk9K4EMabA
Source: 2.2.RegSvcs.exe.400000.0.unpack	String decryptor: 7000018009

Uses 32bit PE files

Source: PO#7889296.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbSystem.ni.dll source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO#7889296.exe, 00000000.00000003.875821730.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.873680544.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbA source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO#7889296.exe, 00000000.00000003.875821730.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.873680544.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.000000000137C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbs source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbt source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: o.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb]g1) source: RegSvcs.exe, 00000002.00000002.943036497.000000000137C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdbsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: RegSvcs.exe, 00000002.00000002.946966451.00000000064B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdbw source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb/ source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DB445A
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBC6D1 FindFirstFileW,FindClose,	0_2_00DBC6D1
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DBC75C
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBEF95
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBF0F2
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBF3F3
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB37EF
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB3B12
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBBCBC

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 158.101.44.242 158.101.44.242

May check the online IP address of the machine

Source: unknown

DNS query: name: checkip.dyndns.org

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DC22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00DC22EE

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: checkip.dyndns.org

Source: RegSvcs.exe, 00000002.00000002.945649160.0000000003139000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.945649160.0000000003126000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.945649160.0000000003139000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.945649160.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: PO#7889296.exe, 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.945649160.0000000003071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: PO#7889296.exe, 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00DC4164

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00DC4164

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\PO#7889296.exe

0_2_00DC3F66

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\PO#7889296.exe

0_2_00DB001C

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\PO#7889296.exe

0_2_00DDCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00D53B3A
Source: PO#7889296.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PO#7889296.exe, 00000000.00000002.876391115.0000000000E04000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0ba8df37-a
Source: PO#7889296.exe, 00000000.00000002.876391115.0000000000E04000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_c856d7ed-2
Source: PO#7889296.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_463e7086-0
Source: PO#7889296.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3aa6a49f-a

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO#7889296.exe

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DBA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00DBA1EF

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\PO#7889296.exe

0_2_00DA8310

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DB51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00DB51BD

Detected potential crypto function

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D5E6A0	0_2_00D5E6A0
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7D975	0_2_00D7D975
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D5FCE0	0_2_00D5FCE0
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D721C5	0_2_00D721C5
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D862D2	0_2_00D862D2
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DD03DA	0_2_00DD03DA
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D8242E	0_2_00D8242E
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D725FA	0_2_00D725FA
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D666E1	0_2_00D666E1
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DAE616	0_2_00DAE616
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D8878F	0_2_00D8878F
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB8889	0_2_00DB8889
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DD0857	0_2_00DD0857
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D86844	0_2_00D86844
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D68808	0_2_00D68808
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7CB21	0_2_00D7CB21
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D86DB6	0_2_00D86DB6
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D66F9E	0_2_00D66F9E
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D63030	0_2_00D63030
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7F1D9	0_2_00D7F1D9
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D73187	0_2_00D73187
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D51287	0_2_00D51287
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D71484	0_2_00D71484
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D65520	0_2_00D65520
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D77696	0_2_00D77696
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D65760	0_2_00D65760
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D71978	0_2_00D71978
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D89AB5	0_2_00D89AB5
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DD7DDB	0_2_00DD7DDB
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D71D90	0_2_00D71D90
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7BDA6	0_2_00D7BDA6
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D63FE0	0_2_00D63FE0
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D5DF00	0_2_00D5DF00
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_019429D8	0_2_019429D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0131330F	2_2_0131330F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01313572	2_2_01313572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0131300F	2_2_0131300F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_013130B1	2_2_013130B1

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: String function: 00D78900 appears 42 times
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: String function: 00D57DE1 appears 35 times
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: String function: 00D70AE3 appears 70 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1476

Sample file is different than original file name gathered from version info

Source: PO#7889296.exe, 00000000.00000003.873561571.0000000004103000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO#7889296.exe
Source: PO#7889296.exe, 00000000.00000003.874033437.00000000042AD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO#7889296.exe
Source: PO#7889296.exe, 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs PO#7889296.exe

Uses 32bit PE files

Source: PO#7889296.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, ---.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, ---.cs

Base64 encoded string: 'O6mfJ0hBC53+hk+N4Tzu6TRtFbdL3qod2Mr8IiV/ENJs+CZ6C7FqzyET0mCRJWTd'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@1/1

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DBA06A GetLastError,FormatMessageW,

0_2_00DBA06A

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DA81CB AdjustTokenPrivileges,CloseHandle,		0_2_00DA81CB
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DA87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00DA87E1

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DBB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00DBB3FB

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DCEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00DCEE0D

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DBC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00DBC397

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D54E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00D54E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2916

Source: C:\Users\user\Desktop\PO#7889296.exe

File created: C:\Users\user\AppData\Local\Temp\aut2E7E.tmp

Jump to behavior

Source: PO#7889296.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO#7889296.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO#7889296.exe	Virustotal: Detection: 38%
Source: PO#7889296.exe	ReversingLabs: Detection: 61%

Source: unknown	Process created: C:\Users\user\Desktop\PO#7889296.exe "C:\Users\user\Desktop\PO#7889296.exe"
Source: C:\Users\user\Desktop\PO#7889296.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PO#7889296.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 1476
Source: C:\Users\user\Desktop\PO#7889296.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PO#7889296.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO#7889296.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PO#7889296.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbSystem.ni.dll source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO#7889296.exe, 00000000.00000003.875821730.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.873680544.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbA source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO#7889296.exe, 00000000.00000003.875821730.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, PO#7889296.exe, 00000000.00000003.873680544.0000000004180000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.000000000137C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbs source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbt source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: o.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb]g1) source: RegSvcs.exe, 00000002.00000002.943036497.000000000137C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.941184833.00000000010F7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: RegSvcs.pdbsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: RegSvcs.exe, 00000002.00000002.946966451.00000000064B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdbw source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb/ source: RegSvcs.exe, 00000002.00000002.943036497.00000000013F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER3F08.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3F08.tmp.dmp.5.dr

Source: PO#7889296.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO#7889296.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO#7889296.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO#7889296.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO#7889296.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D54B37 LoadLibraryA,GetProcAddress,

0_2_00D54B37

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D78945 push ecx; ret

0_2_00D78958

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00D548D7
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DD5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00DD5376

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\PO#7889296.exe

0_2_00D73187

Source: C:\Users\user\Desktop\PO#7889296.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#7889296.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PO#7889296.exe

API/Special instruction interceptor: Address: 19425FC

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: PROCESSHACKER.EXE

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\PO#7889296.exe

API coverage: 4.4 %

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DB445A
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBC6D1 FindFirstFileW,FindClose,	0_2_00DBC6D1
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DBC75C
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBEF95
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DBF0F2
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBF3F3
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB37EF
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DB3B12
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DBBCBC

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D549A0

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegSvcs.exe, 00000002.00000002.943036497.00000000013DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw~N
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DC3F09 BlockInput,

0_2_00DC3F09

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D53B3A

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\PO#7889296.exe

0_2_00D85A7C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D54B37 LoadLibraryA,GetProcAddress,

0_2_00D54B37

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_01941208 mov eax, dword ptr fs:[00000030h]	0_2_01941208
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_019428C8 mov eax, dword ptr fs:[00000030h]	0_2_019428C8
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_01942868 mov eax, dword ptr fs:[00000030h]	0_2_01942868

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DA80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00DA80A9

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00D7A155
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00D7A124 SetUnhandledExceptionFilter,		0_2_00D7A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PO#7889296.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO#7889296.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F2C008

Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DA87B1 LogonUserW,

0_2_00DA87B1

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D53B3A

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\PO#7889296.exe

0_2_00D548D7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DB4C53 mouse_event,

0_2_00DB4C53

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO#7889296.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PO#7889296.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PO#7889296.exe

0_2_00DA7CAF

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00DA874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00DA874B

Source: PO#7889296.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PO#7889296.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D7862B cpuid

0_2_00D7862B

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D84E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D84E87

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D91E06 GetUserNameW,

0_2_00D91E06

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D83F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00D83F3A

Source: C:\Users\user\Desktop\PO#7889296.exe

Code function: 0_2_00D549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D549A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.945649160.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: PO#7889296.exe	Binary or memory string: WIN_81
Source: PO#7889296.exe	Binary or memory string: WIN_XP
Source: PO#7889296.exe	Binary or memory string: WIN_XPe
Source: PO#7889296.exe	Binary or memory string: WIN_VISTA
Source: PO#7889296.exe	Binary or memory string: WIN_7
Source: PO#7889296.exe	Binary or memory string: WIN_8
Source: PO#7889296.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Yara detected Credential Stealer

Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#7889296.exe.16d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.941080153.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.876674998.00000000016D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.945649160.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#7889296.exe PID: 3624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2916, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DC6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00DC6283
Source: C:\Users\user\Desktop\PO#7889296.exe	Code function: 0_2_00DC6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00DC6747

ID:	1650618
Product:	CloudBasic
Start time:	20:52:22
Start date:	27.03.2025
Sample:	PO#7889296.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1312de280df9f1a993e4c3d93764010b
SHA1:	8021cc971121660193bf049ad4e20db1421b73f2
SHA256:	f406a0fd055028ed41cfbc96b9bffb575e14272b26cb5091c7a16f35d15c821b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_bd1742a62c46c3d34c9ea6f7cd9209ba27e2f3c_40336bb7_ce25130b-69e9-49ce-aaac-61d04bac2106\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	5503CC88C89C6B6A0AE00B74DABF4FA0	ED8A1D6C260968EEB4CCAD84844DCA9D9948EC1F	E5EE6E0C6B947C2D840C3BBE4733E4D0256CEBBF0234224F54AB1DB5088AE6CE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F08.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Mar 27 19:53:23 2025, 0x1205a4 type	50F92DDF27E9F44E43022CC77B1FE0BC	7DB03619A2AB957F30E221C3A49DB1AED85E8231	510F112CAD22FAE982134A8A91EBDB94CF195305947C384166B301FAE75BD7A3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4217.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	C9C81259F74632F61C1F46782DBB57F0	9F85AFFA6B303939A50253C368EB510478FEF851	CD69EFBB94316983DAE46B3BB918172A60B021377FA4FDB3A6E0F1C270F00D35
C:\ProgramData\Microsoft\Windows\WER\Temp\WER42A4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4888E1AA049EC984FA72FEFB91B3A87E	F978916E1E67D4D93AA3D3F68C9E33E8EB3877D0	9A7A1550BE5FF17C5370082D2F74A39E54D2685AFC6A07B411B09B5DAD00A65B
C:\Users\user\AppData\Local\Temp\aut2E7E.tmp	data	020901997F2303212C9A746D095F23F1	50A46426173626D14F5305BDB1F5A95A29978109	B66EC1D88416D2D2400DAF961B19425E4D4505C76AF4A9B0FBD697EF1E7C7F57
C:\Users\user\AppData\Local\Temp\flexuoseness	data	A1EE472D822F3225B2317504C7761E00	CE7D6EA507D35A57BE2D440FAFDC2762E8DBEE71	8A3733E2975C8B1D7B3C2DF4799235E59501373C8D2C549365E2667B94AB6825
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	12F99C29357C313334DB83B630E219EB	CEE0F116AFC3AB282A382C81A5870A7DC9303AF8	982C17DA6DF3F39B6DE51C8540E630B9EF86378201F53865A0FEAAFA9AE65DDD

Windows Analysis Report
PO#7889296.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report PO#7889296.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PO#7889296.exe

Malware Threat Intel
Provided by